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CLEAR  CHOICE  TE0^ 

Amid  skepticism,  cool  NAC  tools  soldier  on 

Some  say  NAC  is  dead,  but  we  find  12  strong  NAC  products  from  key  vendors.  Page  28 


Data  center  upgrades 
demand  attention  now 


To  start  data  center  projects  in  2011, 
evaluations  need  to  be  completed  by 
this  fall’s  budgeting.  Page  16 


Banks  battling 
crooks  who  hijack 
customer  PCs 


BYELLEN  MESSMER 


IN  ONLINE  banking  and  payments,  customers’  PCs  have 
become  the  Achilles’  heel  of  the  financial  industry  as  cyber¬ 
crooks  remotely  take  control  of  the  computers  to  make  unau¬ 
thorized  funds  transfers,  often  to  faraway  places. 

That’s  what  happened  to  the  town  of  Poughkeepsie  in  New 
York  earlier  this  year  when  $378,000  was  carried  out  in  four 
unauthorized  funds  transfers  from  the  town’s  account  at 
TD  Bank.  First  discovered  in  January,  the  town  was  able  to 
finally  get  the  full  lost  amount  restored  by  March,  according 

►  See  Bank, page  10 
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WITH  MICROSOFT  VIRTUALIZATION, WE  j 


BY  REPLACING  PHYSICAL  SERVERS 

WITH  VIRTUAL  ONES 


Principal  Technical  Architect 

Chris  Steffen 

Kroll  Factual  Data 


CASE  STUDY:  Kroll  Wm^  Me 


Kroll  Factual  Data  of  Loveland,  Colorado,  is  a  longtime  provider  of 
information  services  to  the  mortgage  industry.  The  firm  wanted  to 
optimize  its  server  infrastructure  to  better  meet  spikes  in  demand  and 
reduce  data  center  costs.  Kroll  Factual  Data  virtualized  its  data  center 
using  Windows  Server®  2008  and  Hyper-V™  technology,  consolidating 
650  servers  to  22.  It  further  streamlined  its  infrastructure  using 
Microsoft®  System  Center  data  center  solutions  to  monitor  and  manage 
its  physical  and  virtual  landscape,  and  Microsoft  Visual  Studio® 
development  tools  to  quickly  develop  applications. 


With  its  new  optimized  infrastructure,  the  company  can  grow  faster, 
scale  quickly  to  meet  customer  needs  and  dramatically  reduce  IT  costs. 
Kroll  Factual  Data  has  cut  annual  hardware  expenditures  by  tens  of 
thousands  of  dollars,  and  energy  costs  by  U.S.  $442,554  annually. 


To  download  the  case  study, 

snap  this  tag  or  text  VIRTUAL  to  21710* 

Get  the  free  app  for  your  phone  at  http://gettag.mobi 

'Standard  messaging  and  data  charges  apply 


Let's  make  VoIP  work  for  you. 

And  who  better  to  show  you  how  than  the  experts  at  CDW? 
Our  telephony  specialists  can  help  you  implement 

a  money-saving,  collaboration-improving  VoIP  system. 

Before  you  start  we  can  design,  install  and  test  it  all. 

And  to  top  it  off,  we  can  even  train  you  on  how  to  use  everything. 
So  let's  start  seeing  and  hearing  your  ROI  today. 

Let's  get  going. 


CISCO®  UNIFIED  IP 


PHONE  7942G 


Call  CDW  for  pricing 

CDW  1300067 
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LIFESIZE® 

PASSPORT1 


$2499 


CDW  1843614 


X  LifeSize 


A  division  of  Logitech 


Find  out  more  about  VoIP  from  one  of  the  telephony  specialists  at  CDW. 

CDW.com  1 800.399.4CDW 


POLYCOM®  CX5000  POLYCOM 

UNIFIED  CONFERENCE 

STATION 


Call  CDW  for  pricing 

CDW  1726377 


cdw) 


Offer  subject  to  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©201 0  CDW  LLC 


The  Right  Technology.  Right  Away.* 
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Collaboration  success 
edges  closer 

Experts  at  the  Enterprise  2.0  conference  in  Bos¬ 
ton  last  week  said  the  tools  are  better,  we  know  more 
about  how  to  deploy  them  sensibly  and  we  have  a  bet¬ 
ter  sense  of  what  to  expect.  But 
most  were  in  agreement  that  it  is 
still  hard  work  to  get  collabora¬ 
tion  right. 

In  a  keynote  address  Andrew  McAfee,  principal 
research  scientist  in  the  Center  for  Digital  Business  at 
MIT  Sloan  School  of  Management,  said  many  collabora¬ 
tion  efforts  fail  because  companies  just  go  through  the 
motions.  They  deploy  some  software,  name  someone  to 
lead  the  program  and  wait  for  something  great  to  hap¬ 
pen.  “The  reality  is  you  have  some  elaborate  infrastructure  to  build.  People  and 
process  and  technology  and  in  an  organizational  sense.  It  is  never  an  overnight 
process.” 

But  there  is  no  question  companies  have  to  embrace  the  new  social  tools,  says 
keynoter  JP  Rangaswami,  chief  scientist  for  the  BT  Group.  The  younger  genera¬ 
tion  of  workers  “have  better  computing  experience  at  home  than  at  work  and  that 
requires  that  we  adapt  in  terms  of  what  we  offer  as  enterprise  services.” 

A  potential  impediment  to  success  is  the  need  to  give  up  control,  Rangaswami 
says.  That  is  hard  for  many  organizations.  Ten  years  from  now,  he  says,  the  speaker 
giving  his  keynote  will  be  evaluating  our  progress  in  terms  of  how  well  we  gave  up 
that  control. 

That  doesn’t  mean  throwing  everything  to  the  wind,  however.  You  need  a  frame¬ 
work  for  the  collaboration  tools  to  get  the  most  out  of  them,  and  the  tools  have  to  be 
coupled  with  business  processes  to  get  benefits,  speakers  agreed. 

Do  you  lock  out  Facebook  and  Twitter  to  encourage  use  of  your  internal  tools? 
You  have  to  replicate  Web  functionality,  but  if  you  let  a  mishmash  grow  within  the 
organization  it  will  be  a  mess,  said  Murali  Sitaram,  General  Manager  of  Cisco’s 
Enterprise  Collaboration  Platform  group. 

McAfee  said  many  of  the  early  collaboration  tools  focused  on  facilitating  com¬ 
munications  among  colleagues  with  which  you  already  have  strong  connections. 
Newer  tools  are  making  it  easier  to  collaborate  with  those  in  the  next  concentric 
ring  where  the  connections  are  weaker,  and  those  in  the  ring  beyond  that  where 
you  have  no  connection  but  there  is  business  potential. 

“This  is  exactly  the  right  approach,”  he  said,  and  a  “big  progression  in  short  his¬ 
tory  of  Enterprise  2.0.” 

There  are  probably  still  more  stories  of  failed  collaboration  initiatives  than 
success  stories  out  there,  but  with  employee  expectations  changed  by  consumer 
services  and  new  tools  designed  to  emulate  consumer  experience,  the  time  may 
finally  be  right  for  collaboration  to  take  off  in  a  big  way. 

jdix@nww.com 

Twitter.com/JDNWW 
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iPhone  shortage  makes  no  sense 

O  VERY  SAD  THAT  they  could  not  fill 
the  demand.  (Re:  AT&T  temporarily 
suspends  iPhone  4  pre-orders  until 
further  notice,  says  demand  lOx  higher 
than  it  was  for  the  iPhone  3GS;tinyurl. 
com/2u4jjes)  In  this  day  and  age  there  is 
really  no  excuse  for  this.  Apple  is  at  fault 
and  so  is  AT&T.  The  phones  are  made  so 
cheap  offshore  and  both  parties  should 
have  had  a  warehouse  of  them  before  they 
released  them.  The  money  just  to  hold 
your  order  until  the  boat  gets  here  from 
China  is  unfair.  If  you  are  going  to  sell  a 
product  you  should  have  it  on  the  shelf 
and  not  a  promise  that  it  will  be  here  soon. 

Theo 

©  OKAY  LET  ME  make  it  clear  first  I  don’t 
like  Microsoft,  but  here  I  am  sitting  in  an 
airport  with  my  HTC  HD2  using  Win¬ 
dows  phone  on  a  call  with  a  customer. 

He  sent  me  a  document  to  discuss, 
it  was  pushed  to  me  by  my  Exchange 
server.  I  opened  it  in  Word,  reviewed  his 
comments  and  was  able  to  answer  them 
on  the  same  phone  call.  I  added  my  com¬ 
ments  to  the  document  for  him  to  review. 
E-mailed  the  document  back  to  him  and 
we  closed  the  deal  still  on  the  same  phone 
call.  Try  doing  that  on  an  Apple  iPhone 
whatever  generation 
and  you’ll  fall  at  the 
first  hurdle,  race  over, 
contract  lost... 

Anon 

Linux  less 
vulnerable 
than  Windows 

©  MANY  PROGRAMS 

ON  Linux  can  be 
locally  installed  by 
a  user,  but  then  they 
will  run  only  with  the 
user’s  permissions 
and  access  privileges. 

A  virus  or  trojan  so 
installed  will  only  affect  that  user  and 
not  the  system  as  a  whole.  (Re:  Dell  says 
Ubuntu  is  safer  than  Windows;  tinyurl. 
com/3y4x6eo)  However,  if  the  applica¬ 
tion  is  installed  by  root,  then  all  bets  are 
off.  You  have  to  consciously  install  an 
application  as  root,  which  is  not  how  most 
people  run  their  systems.  In  fact,  a  lot  of 
consumer-oriented  distributions,  such  as 
Ubuntu,  disable  logging  in  as  root  and  try 


to  keep  people  from  installing  stuff  except 
via  the  package  manager,  where  they  have 
some  confidence  that  the  code  is  “clean”. 

So,  yes  Linux  systems  can  be  compro¬ 
mised,  but  it  is  more  difficult  than  on 
Windows  systems.  Note  that  Microsoft 
is  trying  very  hard  to  keep  people  from 
defaulting  to  administrator  privileges 
in  its  newer  systems  such  as  Vista  and 
Windows  7,  and  require  more  confirma¬ 
tion  that  they  want  to  install  that  applica¬ 
tion.  However,  Windows  still  has  a  lot 
of  problems  with  “drive-by”  malware 
installations  that  Linux  systems  will 
never  “enjoy”. 

Rubberman 

©  LINUX  FOLKS  SHOULD  pay  more 
attention  on  who  is  writing  code  for  their 
projects,  especially  those  who  are  run¬ 
ning  large  distributions.  What  they  don’t 
realize  is  that  these  Microsoft  fanboys 
can’t  wait  to  hear  something  like  this 
to  spread  the  FUD.  The  issue  at  hand  is 
that  they  don’t  know  jack  on  how  Linux 
security  works  and  tend  to  throw  all  kind 
of  nonsense  out  there  for  folks  to  say  “see 
why  bother  using  Linux”. 

But  yet  we  see  Windows  security  issues 
on  a  daily  basis  not  because  of  its  popu¬ 
larity  but  because  of  its  poor  security 

design  as  it  was  never 
meant  to  be  a  multi¬ 
user  system. 

spartan227 

What  IP4  address 
shortage? 

©  I  HAVE  BEEN  hear¬ 
ing  for  so  long  that 
we  are  running  out  of 
addresses .  (Re:  Run 
on  IPv4  addresses 
could  exhaust  supply 
by  December;  tinyurl. 
com/389j5v9) 

Two  simple  solu¬ 
tions  :  1)  Reclaim 
unused  IP  address  ranges.  I  know  of  sev¬ 
eral  companies  that  have  multiple  /24’s 
that  they  aren’t  using.  IANA  needs  to  be 
more  aggressive  in  reclamation. 

2)  Take  away  the  public  IP  ranges  from 
the  cell  phone  carriers.  There  is  no  reason 
that  a  Blackberry  or  iPhone  needs  a  pub¬ 
lic  IP  address.  That  move  alone  should 
free  up  several  million  addresses. 

Anonymous 
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THE  HOUSE  OF  Representatives  Homeland  Security 


Committee  last  week  questioned  whether  the  Department  of 
Homeland  Security  has  the  authority  or  resources  it  needs  to 
protect  the  nation  against  cyber  attacks.  The  bad  guys  have 
stepped  up  attacks  on  U.S.  agencies  by  400%  from  2006  to 
2009,  yet  US-CERT  (the  DHS  division  responsible  for  defending 
federal  civilian  agencies  against  cyberattack)  is  understaffed 
and  has  had  four  directors  in  five  years.  Contractors  at  US-CERT 
outnumber  federal  employees  by  a  ratio  of  about  3  to  1.  "Given 
these  administrative  failings,  it  should  come  as  no  surprise  that 
day-to-day  operations  may  suffer,”  said  Rep.  Bennie  Thompson, 
a  Mississippi  Democrat  and  chairman  of  the  committee.  “There 
is  no  doubt  that  we  are  not  prepared  to  address  a  major  cyber 
attack  today,”  added  Stewart  Baker,  a  partner  in  the  Steptoe 
&  Johnson  law  firm  and  former  assistant  secretary  for  policy 
at  DHS.  “If  we  end  up  in  a  serious  conflict  with  five  or  10  very 
sophisticated  countries,  we  will  be  attacked,  and  we  will  not 
know  how  to  respond  " tinyurl.com/3xvhhsk 


Earn  a  degree  in 
fortunetelling? 

IF  YOU’RE  thinking  about 
going  back  to  graduate  school, 
how  about  pursuing  a  degree  in 
predicting  the  future?  DePaul 
University  in  Chicago  plans  to 
offer  the  nation’s  first  mas¬ 
ter’s  degree  in  predic¬ 
tive  analysis,  with 
help  from  IBM. 

The  program  aims 
to  teach  students  the 
technical  skills  to  do 
computer-based  data 
mining,  including 
advanced  data  analy¬ 
sis  and  the  ability 
to  handle  large  data 
sets.  The  degree  will 


require  students  to  take  market¬ 
ing  courses  as  well.  “It’s  not  a 
theoretical  statistics  degree.  It 
will  focus  on  hands-on  use  of 
applications,”  said  Raffaella 
Settimi,  an  associate  professor 
at  DePaul’s  College  of  Comput¬ 
ing  and  Digital  Media,  tinyurl. 
com/3y3c3ka 


iPad-controlled 
helicopter  set 
for  liftoff 

IT’S  JUST  what  every  IT 
department  needs:  a  helicopter 
that  wirelessly  sends  video  to 
its  controlling  iPad,  iPhone 
or  iPod  Touch.  Due  to  start 
shipping  in  September,  the 
$299  AR.Drone  helicopter 
from  France-based  Parrot  has 
four  fans  that  allow  it  to  fly  in 
any  direction.  It  streams  video 
from  the  cameras  mounted  on 
its  front  and  bottom  back  to 
the  controlling  device,  tinyurl. 
com/3yh6un4 

IPv4  address 
scraps  looking 
polluted 

WE’RE  SCRAPING  thebottom 
of  the  barrel  for  IPv4  addresses, 
and  it  turns  out  the  sludge 
might  not  be  so  desirable. 

The  few  blocks  of  Internet 
addresses  yet  to  be  allocated 
under  the  old  IPv4  protocol 
seem  to  be  home  to  some 
“hotspots”  of  unwanted  traffic, 
including  both  Internet-borne 
attacks  and  benign  code  for 
application  testing.  Though 
the  traffic  doesn’t  represent 
a  security  threat  itself,  an 
enterprise  that  acquired  the 
affected  addresses  from  an 
ISP  typically  would  have 
to  pay  for  the  transmission 
of  the  irrelevant  packets,  said 
Manish  Karir,  a  researcher 
at  Merit  Network,  which 
is  an  educational  network 
operator  and  Internet  research 
center  in  Michigan.  IPv4  only 
allows  for  about  4.3  billion 
addresses,  and  that  supply 
is  expected  to  run  out  within 


the  next  two  years.  If  some  of 
those  remaining  addresses 
are  polluted  with  unwanted 
traffic,  that  could  make  the 
problem  even  more  urgent 
for  enterprises  that  want  new, 
usable  IPv4  addresses,  tinyurl. 
com/3xslngp 


IT  VIDEO 

Motion,  3D  the 
rage  at  E3 

At  last  week’s  Electronic 
Entertainment  Expo,  Micro¬ 
soft  and  Sony  joined  the 
motion-control  arena  with 
new  controllers,  and  Nin¬ 
tendo  launched  a  3D  hand¬ 
held  game  system  that 
doesn’t  require  glasses. 
tinyurl.com/35trk7p 


No  more  IE 
patches  for 
Windows  XPSP2 

WINDOWS  XP  shops  that  have 
put  off  upgrading  to  Service 
Pack  3  or  shifting  to  a  newer 
edition  of  Windows  will  soon 
have  a  new  concern  to  worry 
about:  exposure  to  Internet 
Explorer  vulnerabilities. 
Although  Microsoft  has  told 
XP  SP2  users  several  times 
this  year  that  it  will  retire  the 
2004  operating  system  on 
July  13,  users  may  not  realize 
they  will  not  receive  any  IE 
security  updates  after  that 
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GOOD  I  BAD  I  UGLY 


Motorola,  RIM  settle 

IN  THE  smartphone  market  it’s  generally  been 
another  week,  another  lawsuit.  So  it  was  good  to  see 
that  Motorola  and  Research  in  Motion  have  come  to 
a  settlement  that  will  end  all  pending  litigation 
between  them.  The  long-term  agreement 
involves  standards  such  as  2G,  3G,  4G  and 
802.11,  as  well  as  wireless  e-mail,  according  to 
a  brief  statement.  Motorola  and  RIM  will  also 
give  each  other  certain  patents.  Now  if  only  Apple, 
Nokia,  HTC  and  the  rest  will  follow  suit. 


Facebook  users 
targeted  again 


HUNDREDS  OF  thousands  of 
Facebook  users  fell  victim  to 
yet  another  rogue  application, 
this  one  identified  as  a  video 
claiming  to  show  a  teacher 
nearly  killing  a  boy.  With  the 
lure  of  the  message  “Teacher 
nearly  kills  a  13-year-old  boy. 

SHOCKING!,”  the  rogue  app  could  take  control 
over  the  victim's  Facebook  profile  page  and  spread 
by  appearing  on  the  victim’s  Facebook  wall,  accord¬ 
ing  to  security  company  Sophos.  One  concern  is  that 
the  rogue  app  might  try  nasty  tricks  in  the  future,  like 
phishing  for  friends’  passwords.  Sophos  is  advising 
anyone  who  falls  victim  to  this  scam  to  take  steps  to 
remove  the  app  from  their  profile  and  delete  posts 
associated  with  it. 


BP  cleans  up, 
at  least  on  Google 

EMBATTLED  ENERGY  company  BP  has 
been  taking  some  additional  licks  in  light  of 
its  acquiring  key  ad  words  on  Google’s  search 
engine.  The  result:  when  people  search  on  phrases 
like  “oil  spill"  they  wind  up  seeing  sponsored  links  to 
happy  stories  on  BP's  Web  site.  Critics  say  BP  would 
have  been  better  off  using  the  money  it  spent  on  key 
ad  words  to  clean  up  the  gulf  oil  spill. 
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$1,000  PC 

by  2020  will  have  the  raw  pro¬ 
cessing  power  of  a  human  brain. 

SOURCE:  CARNEGIE  MELLON  ROBOTICS  INSTITUTE 


date.  The  practice  of  linking 
browser  patches  to  operating 
systems’  support  life  cycles  is  a 
longstanding  Microsoft  policy. 
However,  it  means  that  users 
still  relying  on  XP  SP2  will  be 
at  risk  for  exploits  of  any  IE 
vulnerability  that  Microsoft 
patches  after  July  13.  According 
to  data  from  Qualys,  about  half 
of  all  enterprise  PCs  running 
XP  were  still  using  SP2  as  of  late 
last  month.  Microsoft  intends 
to  support  Windows  XP  SP3 
until  mid-April  2014.  tinyurl. 
com/2udg2lw 

Don't  forget 
the  glasses 

THE  3D  craze 
has  spread  from 
cinemas  to  TVs 
and  now  to 
laptops.  The 
latest  is  from  PC  maker  Lenovo, 
which  just  announced  its  first 
3D  laptop  aimed  at  gamers  and 
users  who  want  to  watch  HD 
movies.  The  Lenovo  IdeaPad 
Y560d  includes  a  15.6-inch 
screen,  3D  glasses  and  software 
that  can  take  normal  2D  content 
such  as  movies  and  make  it 
appear  in  3D.  The  Y560d  laptop 
is  priced  starting  at  $1,200. 
tinyurl.com/35q6uug 

Oracle  bilked 
the  Feds? 

ORACLE  IS  being  sued  by  the 
U.S.  government  for  allegedly 
overcharging  it  by  millions 
of  dollars.  The  government’s 
action  joins  an  earlier  complaint 
filed  by  an  Oracle  employee, 
Paul  Prascella,  in  May  2007. 
“The  whole  idea  of  GSA 


schedule  discounts  is  that  the 
government,  in  the  aggregate, 
is  likely  to  be  one  of  the  largest 
purchasers  of  a  company’s 
products,  and  is  entitled  to  take 
advantage  of  the  discounts  that 
its  large  buying  power  should 
command,”  the  complaint 
states.  However,  Frascella 
learned  that  Oracle  was  finding 
ways  around  the  GSA  restric¬ 
tions  in  order  to  give  commer¬ 
cial  customers  even  deeper 
discounts,  according  to  the  com¬ 
plaints.  One  alleged  practice 
saw  Oracle  “selling  to  a  reseller 
at  a  deep  discount ...  and  having 
the  reseller  sell  the  product  to 
the  end  user  at  a  price  below 
the  written  maximum 
allowable  discounts.” 
Overall,  Oracle’s  actions 
cost  U.S.  taxpayers  “tens 
of  millions  of  dollars,” 
the  suit  states,  tinyurl. 
com/359vqxa 

Eucalyptus 
friends  Windows 

EUCALYPTUS  SYSTEMS  has 

released  an  update  to  the  com¬ 
mercial  version  of  its  private 
cloud  software.  Eucalyptus 
Enterprise  Edition,  that  now 
lets  users  run  instances  of  the 
Windows  operating  system 
in  a  self-provisioned  cloud,  in 
addition  to  Linux.  Developed 
by  a  University  of  California 
researcher  with  funding  from 
the  National  Science  Founda¬ 
tion,  Eucalyptus  allows  anyone 
to  set  up  a  cloud  platform,  which 
then  can  be  offered  as  a  service, 
either  internally  or  publicly. 

Ve  rsion  2.0  of  the  software 
can  track  usage  and  costs  for 
predefined  groups,  tinyurl. 
com/343ox7b 


faster  server  ROl. 


Servers  that  pay  for  themselves  in 
as  little  as  2  months:  next  generation 
HP  ProLiant  servers  powered  by 
AMD  Opteron™  6100  Series  processors.1 

Is  an  aging  IT  infrastructure  costing  you  money? 
Now  is  the  time  to  unleash  the  full  potential  of  your 
business  with  next  generation  HP  ProLiant  servers 
powered  by  AMD  Opteron™  6100  Series  processors: 
•  23  to  1  server  consolidation  ratio1 

•  96%  or  more  energy  and  cooling  savings’ 

•  $48,380  saved  per  100  users2 

Accelerate  your  business  and  lay  the  groundwork  for  the 
HP  Converged  Infrastructure,  the  road  map  to  greater  IT 
efficiency.  And  unleash  faster  server  ROl  today. 

Outcomes  that  matter. 


HP  ProLiant  DL385  G7  Server 

•  AMD  Opteron™  Processor  Model  6134 

•  4  GB  memory,  up  to  256  GB  Max 

•  Up  to  8  small  form  factor  high-performance  SAS  hard  drives 
with  standard  cage.  Or  up  to  16  SFF  or  6  LFF  hard  drives  with 
optional  drive  cages. 

•  Integrated  Lights-Out  3  (iLO  3)  providing  industry-leading 
management  and  powerful  administration 

$2,599  (Save  $498) 

Lease  for  just  $69/mo.* 

|  (PN:  605869-005) 


1  Based  on  HP  internal  testing  comparing  hardware  on  HP  ProLiant  DL380  G4  to 
HP  ProLiant  DL385  G7. 

1  Source:  I  DC  white  paper  sponsored  by  HP  Gaining  Business  Value  and  ROl 
with  HP  Insight  Control,  May  2009. 

Copyright©  2010  Hewlett-Packard  Development  Company,  L.P. 

AMD,  the  AMD  Arrow  logo,  AMD  Opteron  and  combinations  thereof  are 
trademarks  of  Advanced  Micro  Devices,  Inc. 


Calculate  your  ROl  and  register  for  The  Time  is  Right  to 
Transform  the  Data  Center  and  The  Next  Generation  HP 
ProLiant  Server  Line:  A  Powerful  Platform  for  Virtualization 
white  papers  at  hp.com/servers/unleash9 


20  YEARS 

OF  x86  SERVER  INNOVATION 


•Prices  shown  are  HP  Direct  prices;  reseller  and  retail  prices  may  vary:  Prices  shown 
ire  subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping 
to  recipient's  address.  Offers  cannot  be  combined  with  any  other  offer  or  discount  and 
are  good  while  supplies  last  .  All  featured  offers  available  in  U.S.  only.  Savings  based  on 
HP  published  list  price  of  confiqure-to-order  equivalent  (DL  Server:  $3,097-$498  instant 


savings  =  Smart  Buy  price  ol  Sz.oV V.l  Financing  available  through  Hewlett-Packard 
Financial  Services  Company  and  its  subsidiaries  (HPFSC)  to  qualified  commercial 
customers  in  the  U.S.  and  is  subject  to  credit  approval  and  execution  of  standard  HPFSC 
documentation.  Prices  shown  are  based  on  a  lease  48  months  in  term  with  a  fair  market 
value  purchase  option  at  the  end  of  the  term  and  are  valid  through  July  31,  2010.  Other 
ales  apply  for  other  terms  and  transaction  sizes.  Financing  is  available  on  transactions 
greater  tnan  $349.  Other  charges  and  restrictions  may  apply.  HPFSC  reserves  the  right  to 
change  or  cancel  this  program  at  any  time  without  notice.  Tnis  offer  cannot  be  combined  with 
nny  other  rebate,  discount  or’ promotion  without  prior  approval  by  HP  and  HPFSC.  Rales  are 
based  on  customer's  credit  rating,  financing  terms,  offering  types,  equipment  type  and.options. 
Not  all  customers  may  qualify  for  these  rates.  Other  restrictions  may  apply.  HPFSC  reserves  the 
right  to  change  or  cancel  this  program  at  any  time  without  notice. 


TREND  ANALYSIS 


►  Bank ,  from  page  1 

to  public  records,  through  sometimes  tense 
interaction  with  the  bank. 

Though  the  town  declines  to  discuss  the 
matter,  this  big-dollar  cyberheist,  along  with 
a  slew  of  other  incidents  in  the  past  year,  has 
many  bank  officials  worried.  They’re  con¬ 
cerned  that  the  customer  desktop,  especially 
in  business  banking  where  dollar  amounts 
are  high,  is  increasingly  the  weak  link  in  the 
chain  of  trust. 

Other  cyberheists  that  have  reached  the 
public  eye  include  Hillary  Machin¬ 
ery  of  Plano,  Texas,  for  $801,495; 

Patco  Construction  for  $588,000; 

Unique  Industrial  for  $1.2  million; 
and  Ferma  Corp.  for  $447,000. 

Schools  and  churches  aren’t 
immune,  either.  One  FBI  report 
from  late  last  year  said  the  agency 
gets  several  new  victim  complaints 
each  week. 

And  businesses  should  be  even 
more  worried  than  consumers 
about  whether  banks  will  restore 
monies  stolen  by  cybercrooks 
exploiting  compromised  comput¬ 
ers  using  botnet-controlled  mal¬ 
ware.  According  to  Gartner  ana¬ 
lyst  Avivah  Litan,  while  consumer 
accounts  receive  specific  legal  pro¬ 
tections  to  restore  unauthorized 
transfers  under  what’s  called  the 
“Reg  E”  federal  regulations,  businesses  do  not. 

Disputes  over  hijacked  computers  and 
fraudulent  transfers  are  erupting  into  the  pub¬ 
lic  eye  as  businesses  quarrel  with  banks  over 
who  is  at  fault  when  a  cyber-gang  makes  off 
with  the  money.  The  restoration  of  lost  funds 
occurs  on  a  case-by-case  basis. 

The  dilemma  for  banks  boils  down  to  this: 
How  far  can  they  go  to  help  protect  customer 
desktops  that  function  like  part  of  their  shared 
network  but  aren’t  owned  by  the  bank? 

Banks  are  faced  with  the  prospect  that 
“customers  own  PCs  that  have  been  in  the 
hands  of  Russian  crime  syndicates,”  says 
Jeff  Theiler,  senior  vice  president  at  Hancock 
Bank,  which  primarily  operates  along  the 
Gulf  Coast  region. 

Like  many  other  banks,  Hancock  finds  itself 
getting  more  involved  in  helping  customers 
defend  their  machines.  One  recent  step  has 
Hancock  making  available  for  free  special¬ 
ized  protective  software  for  use  by  the  bank’s 
100,000  e-banking  customers. 

Developed  by  Trusteer,  the  software 
becomes  active  when  the  customer’s  PC  is 
interacting  with  Hancock  Bank’s  online 
banking  services.  Basically  a  browser  plug¬ 
in,  the  security  software  can  detect  and  block 
keylogging,  stop  re-directions  of  the  user 


and  inform  the  bank  if  the  PC’s  infected  with 
malware. 

If  a  problem  is  detected,  “the  bank  will  call 
them  and  tell  them,”  Theiler  says,  adding 
cybercrooks  would  rather  target  high-dollar 
automated  clearinghouse  (ACH)  transfers 
and  other  substantial  payment  transfers 
from  business  customers,  but  they  wouldn’t 
turn  down  what  they  might  be  able  to  get 
from  consumers  doing  online  e-banking. 
“No  bank  is  immune  from  being  faced  with 
these  ACH  issues  regarding  a  computer  mal¬ 
ware  attack,”  Theiler  says. 


But  it’s  a  tough  question  on  how  far  the 
banks  can  or  should  go  to  try  and  impose 
security  requirements  on  their  customers’ 
desktops.  Theiler  acknowledges  that  the 
approach  for  existing  online  banking  custom¬ 
ers  is  mainly  to  “highly  recommend”  using  the 
Trusteer-developed  software. 

The  Trusteer  software,  tailored  for  each 
bank,  is  now  offered  by  almost  40  institutions, 
including  SunTrust,  HSBC,  Fifth  Third  Bank, 
ING  Direct  USA  and  Huntington  National 
Bank.  Trusteer,  along  with  Prevx  and  Trust- 
Defender,  are  among  the  few  security  ven¬ 
dors  coming  up  with  defenses  of  this  type  for 
the  banking  industry,  according  to  Gartner’s 
Litan.  She  faults  larger  security  software 
providers,  including  McAfee,  Symantec  and 
Trend  Micro,  for  doing  so  little. 

But  this  type  of  help-the-customer  bank¬ 
ing  software  is  not  an  approach  Litan  thinks 
should  necessarily  be  a  high  priority  for 
financial  institutions. 

“My  advice  to  banks  is  they  can’t  count  on  it, 
it’s  not  ubiquitous,”  she  says,  adding,  “They 
need  to  make  clear  it’s  not  total  protection.” 

Once  banks  get  involved  in  this  help-the- 
customer  software  approach,  a  number  of 
potential  liability  issues  may  arise  if  some¬ 
thing  bad  does  occur,  she  says.  “The  higher 


priority  should  be  on  things  they  can  control, 
such  as  fraud  detection  and  out-of-band  pro¬ 
tections,”  Litan  suggests. 

This  so-called  out-of-band  security  in 
e-banking  and  payments  includes  auto¬ 
mated  phone  calls  that  can  be  initiated  when 
online  behavior  analysis  tools  indicate  suspi¬ 
cious  online  behavior,  as  well  as  systems  that 
involve  a  recording  of  a  voice  pattern  that  can 
be  matched  against  someone  speaking  their 
password. 

“The  threat  landscape  is  changing,”  says 
Christopher  Beier,  senior  product  manager 
in  the  electronic  banking  services 
group  at  Fiserv,  an  online  payment 
and  services  technology  provider 
for  banks.  Fiserv  recently  began 
to  make  the  PhoneFactor  phone- 
based  out-of-band  authentication 
system  available  to  its  customers, 
which  include  24  of  the  largest 
banks. 

Phone-based  authentication 
“doesn’t  take  you  away  from  the 
online  banking  channel,”  Beier 
says.  “But  I  know  the  computer 
might  be  compromised.  So  you 
take  the  authentication  out  of  that 
channel  and  onto  the  phone.”  This 
method  will  likely  hold  the  most 
appeal  in  high-risk,  large-dollar 
transactions,  he  notes. 

Bank  Leumi,  as  well  as  some 
banks  in  Australia,  are  known  to  be 
leading  the  charge  in  this  type  of  out-of-band 
authentication,  Litan  says,  but  there  are  few 
practical  roll-outs. 

Another  approach  involves  beefing  up 
back-end  fraud  detection  that’s  in  use  to  mon¬ 
itor  for  credit-  and  debit-card  fraud  so  that  it 
also  includes  e-banking  and  payments. 

Dual-authentication,  which  requires  at 
least  two  people  to  approve  a  transaction, 
also  ups  the  security  ante,  Litan  points  out. 
Another  approach  she  believes  can  be  effec¬ 
tive,  called  “positive  pay,”  involves  setting 
guidelines  in  advance  on  exactly  who  the 
bank  is  authorized  to  pay  and  the  thresholds. 
Litan  acknowledges  that  though  it  sounds 
simple,  “positive  pay”  can  be  hard  to  do 
because  business  software  may  not  already 
be  set  up  for  this  or  businesses  need  more 
flexibility  than  that  approach  allows. 

Brian  Krebs,  an  investigative  journalist 
who  has  put  the  spotlight  on  the  cyberheist 
epidemic  in  his  online  column  KrebsOnSecu- 
rity,  comments,  “My  mantra  on  this  continues 
to  be  that  any  commercial  banking  technol¬ 
ogy  that  does  not  begin  with  the  premise  that 
the  customer’s  machine  may  be  and  prob¬ 
ably  is  already  compromised  with  malicious 
software  doesn’t  stand  a  chance  of  defeating 
today’s  cyber  crooks.” 


I  wouldn’t  recommend  bank¬ 
ing  online  with  Windows.” 

JOE  STEWART,  DIRECTOR  OF  MALWARE  ANALYSIS, 
SECUREWORKS  /  k 
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Your  tech  vendor’s  been 
gobbled  up:  Now  what? 


“The  criminals  appear  to  be  limited  not 
by  law  enforcement  or  bank  security,  but 
mainly  by  the  number  of  money  mules  they 
can  harness  at  any  one  time  to  help  them 
haul  the  loot  from  the  accounts  they’ve 
compromised,”  Krebs  says,  adding  he’s 
investigating  whether  one  group  is  actually 
“contracting  that  process  out  to  several  dif¬ 
ferent  mule  recruitment  and  cashout  gangs” 
in  order  to  find  enough  money  mules. 

According  to  an  FBI  report  from  last 
November  about  cyberheists  and  the  role  of 
the  money  mule,  cybercrooks’  fraudulent 
ACH  transfers  are  often  directed  to  the  bank 
accounts  of  willing  or  unwitting  individuals 
within  the  United  States. 

These  people  are  often  recruited  through 
“work  from  home”  advertisements  or  con¬ 
tacted  by  recruiters  after  placing  resumes  on 
popular  employment  sites. 

Compromised  computers  used  in  online 
banking  have  gotten  the  attention  of  the 
Financial  Services  Information  Sharing  and 
Analysis  Center  (FS-ISAC),  a  group  whose 
mission  is  to  provide  a  forum  where  its 
members,  which  include  Citigroup,  Bank  of 
America,  Goldman  Sachs  and  Merrill  Lynch 
among  others,  can  discretely  share  security 
concerns  and  keep  direct  contact  with  fed¬ 
eral  officials. 

FS-ISAC  has  gone  so  far  as  to  send  out  a 
notice  telling  its  membership  to  only  inter¬ 
act  with  business  customers  via  computers 
without  browser  and  e-mail  capability.  It 
was  an  awkwardly  worded  recommenda¬ 
tion  that  was  later  clarified  to  mean  a  “PC 
dedicated  to  online  banking,”  Litan  says. 
But  she  regards  this  as  inadequate. 

Other  recent  activity  in  the  federal  gov¬ 
ernment  sector  includes  a  symposium 
organized  by  the  Federal  Deposit  Insurance 
Corp  last  month  on  the  threat  of  hijacked 
computers  and  cybercrime  to  business. 

“The  user  workstation  is  the  weak  point,” 
says  Joe  Stewart,  director  of  malware  analy¬ 
sis  at  Secure  Works,  who  has  done  extensive 
work  looking  at  botnet-based  Trojans  such 
as  ZeuS  and  Clampi  designed  to  hijack  the 
victim’s  computer  and  execute  unauthor¬ 
ized  financial  transactions  by  stealing  cre¬ 
dentials  and  account  information. 

The  basic  architecture  of  online  bank¬ 
ing  was  designed  without  the  idea  that  the 
user  would  encounter  this  type  of  malicious 
Trojan,  he  notes,  adding,  “In  that  sense,  this 
paradigm  of  banking  is  broken.” 

Since  the  known  banking  Trojan  mal¬ 
ware  is  Windows-based  —  “there  are  no 
Mac  banking  Trojans  yet,”  Stewart  says  — 
he  views  the  situation  today  as  largely  one 
centering  on  Windows-based  machines.  “I 
wouldn’t  recommend  banking  online  with 
Windows.”  ■ 


BY  JIM  DUFFY 

BROCADE’S  ACQUISITION  of  Foundry 
Networks  took  Foundry  customer  LINX  by 
surprise. 

The  London  Internet  Exchange  had  been 
using  Foundry’s  switches  and  routers  for 
10  years,  and  the  vendor  showed  no  signs  of 
being  an  acquisition  target  or  candidate. 

“Those  signs  tend  to  be  rather  obvious,” 
says  LINX  CEO  John  Souter.  “They  weren’t 
necessarily  showing  those  signs  when  the 
Brocade  thing  happened.” 

Souter  and  his  colleagues 
at  LINX  went  through  a  range 
of  emotions  when  the  news 
broke  in  July  2008  of  Bro¬ 
cade’s  $3  billion  offer.  Espe¬ 
cially  since  LINX  didn’t  know 
a  whole  lot  about  Brocade. 

“We  asked  the  people  who 
were  deploying  the  Brocade  technology 
what  they  thought  and  generally  got  very 
encouraging  noises.  Since  then  ...  we’re 
really  encouraged,”  Souter  says. 

Souter’s  reactions  are  typical  of  a  cus¬ 
tomer  of  a  company  being  acquired.  Users 
worry  that  their  assets  might  be  stranded 
or  neglected  after  their  primary  vendor  is 
purchased,  due  to  product  streamlining, 
an  exodus  of  expertise,  strategic  refocus, 
or  all  three. 

After  a  lull  in  high-tech  acquisitions  dur¬ 
ing  the  recession,  merger  and  acquisition 
activity  has  picked  up  again  and  some  ana¬ 
lysts  predict  that  further  big  deals  lie  ahead. 
For  customers,  acquisitions  can  throw  into 
question  future  plans  and  the  stability  of 
projects  underway. 

Andrew  Poodle  is  going  through  his 
second  such  situation.  Poodle  and  his 
Craftspeed  Web  site  development  com¬ 
pany  use  the  MySQL  database  in  its  clients’ 
projects.  He  was  a  MySQL  user  when  Sun 
bought  MySQL  in  2008,  and  it  was  deja 
vu  all  over  again  for  Poodle  when  Oracle 
bought  Sun 

“When  the  takeover  was  announced  there 
was  initially  some  worry  and  concern,” 
Poodle  says.  “The  transition  itself  has  been 
relatively  painless  in  terms  of  the  interac¬ 
tion  between  customer  and  MySQL.  We  still 
talk  to  the  same  people  who  have  the  same 
knowledge  and  passion  for  a  product  they 
have  helped  develop.  The  day-to-day  stuff 
hasn’t  changed,  but  I  think  that’s  not  where 
the  worries  and  concerns  lie.” 


Oracle  appears  to  be  putting  more  empha¬ 
sis  on  the  enterprise  version  of  MySQL  than 
on  the  product’s  community  edition.  Poodle 
says.  Resources  available  to  community 
users  are  less  apparent  than  they  are  to  cus¬ 
tomers  of  the  enterprise  edition,  he  says. 

Of  more  serious  concern  is  the  lack  of  life- 
cycle  policy  information  for  community 
users.  “If  you  look  at  the  life-cycle  policy 
carefully,  it  promises  the  extended  sup¬ 
port  for  enterprise  customers,”  Poodle  says. 
“There  is  no  mention  of  community.” 

He  says  users  of  the  com¬ 
munity  edition  had  to  haggle 
with  Oracle  to  get  the  latest 
security  patch  for  the  soft¬ 
ware.  (Oracle  did  not  respond 
to  requests  for  comment.) 

Users  who’ve  experienced 
one  of  their  primary  vendors 
being  acquired  suggest  being 
proactive  in  opening  up  the  lines  of  commu¬ 
nication  with  the  acquiring  company . 

This  helped  Techevolution,  an  IT  consul¬ 
tancy  and  data  center  collocation  company 
that  went  through  Dell’s  acquisition  of 
EqualLogic,  to  avoid  any  hiccups.  Equal- 
Logic  supplies  Techevolution’s  iSCSI  stor¬ 
age  arrays  and  Dell  acquired  the  company 
in  2007  for  $1.4  billion. 

“We  were  worried  but  it  went  very,  very 
smooth  from  the  transition  of  tech  sup¬ 
port  to  new  equipment  that  we  purchased 
from  Dell,”  says  Techevolution  CEO  Corey 
Tapper. 

Techevolution  ran  a  tech  support  “fire 
drill”  shortly  after  Dell  closed  the  Equal- 
Logic  deal  by  disabling  a  drive  in  one  of  its 
EqualLogic  arrays.  “Dell  had  the  same  [out¬ 
age]  response,  if  not  faster,”  Tapper  says. 

He  recommends  users  be  proactive  in 
learning  as  much  about  the  acquiring  com¬ 
pany  and  its  strategy  as  possible,  while 
maintaining  and  even  accelerating  dialogue 
with  the  supplier  being  acquired. 

“Some  people  buy  equipment  and  never 
talk  to  their  vendor  again  unless  something 
breaks  or  they  go  and  buy  something  five 
years  later,”  Tapper  says.  “We  were  con¬ 
stantly  talking  to  our  vendors.  Being  pre¬ 
pared  and  knowing  who  the  new  parties  are 
and  getting  acquainted  with  them  is  really 
important,  because  if  you  don’t  know  them, 
one  day  you  wake  up  and  you’re  married  to  a 
new  company.  You  don’t  know  what  the  pro¬ 
tocol  is  for  the  new  company,  and  that  could 
cause  some  grief.”  ■ 
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Bill  Schlough 

SENIOR  VICE  PRESIDENT  AND 
CHIEF  INFORMATION  OFFICER, 
SAN  FRANCISCO  GIANTS 

Bill  Schlough  and  team 
have  implemented  an  array 
of  revolutionary  systems  to 
create  a  competitive  advan¬ 
tage  on  and  off  the  field.  His 
team  provides  day-to-day 
technical  support  while  collab¬ 
orating  with  internal  clients  to 
set  the  technological  direction 
for  the  San  Francisco  Giants. 
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Simplicity  in  The  Field 

ShoreTel  Steps  up  to  the  Plate  for  SF  Giants 
to  Improve  Service,  Lower  Costs 


introduction 

In  2007,  the  San  Francisco  Giants  finished  first 
—  first  in  Major  League  Baseball  for  spending 
on  telephony,  that  is.  Giants  CIO  Bill  Schlough 
says  he  was  motivated  to  change  that  dubious 
distinction,  and  set  in  motion  a  project  to  lower 
communications  costs,  reduce  complexity  and 
improve  service.  Schlough  and  team  turned 
to  ShoreTel  for  their  communication  solution. 
"Really,  it  was  the  simplicity  and  the  reliable 
architecture  that  stood  out  as  key  differentia¬ 
tors,"  Schlough  says. 

ShoreTel,  a  leading  provider  of  unified  com¬ 
munications  solutions,  based  in  Sunnyvale, 
Calif.,  offers  simplicity  as  its  core  advantage. 
ShoreTel's  architecture  differs  fundamentally 
from  other  Voice  over  Internet  Protocol  (VoIP) 
telephony  solutions  in  that  it  was  built  from 
the  ground  up  for  IP.  It's  open,  switch-based 
and  designed  to  grow  from  day  one.  For 
business-focused  CIOs  increasingly  tasked 
with  managing  telecom  along  with  IT  and 
networks,  ShoreTel's  solutions  fit  right  in  with 
existing  infrastructure.  As  Schlough  points  out, 
they're  as  easy  to  manage  and  scale,  as  they 
are  to  deploy  and  use. 

Here's  what  Schlough  had  to  say  about  the 
Giants'  ShoreTel  experience: 

What  was  your  reaction  when  you 
learned  the  Giants  were  No.  1  in  telecom 
spending? 

l  immediately  picked  up  the  phone  and  called 
our  trusted  partner,  AT&T,  to  help  us  identify  the 
cause  and  propose  a  solution.  I  knew  it  was  time 
to  dig  in,  and  change  our  position.  We  had  been 
using  a  Centrex  model  for  our  telecommunica¬ 
tions  needs,  and  had  not  prioritized  making  the 
move  to  a  more  modern  and  cost-effective 
solution.  Our  objective  in  making  a  change 
was  threefold: 


■  Reduce  the  operating  costs  of  our 
telecom  facilities; 

■  improve  the  ease  of  management, 
support  and  use  of  our  telecom  platform 
for  all  its  related  services; 

■  Improve  productivity  in  our  front  office, 
and  be  able  to  use  telecom  as  a  tool  to 
drive  our  business. 

A  system  that's  designed  from  the 
ground  up  to  leverage  the  inherent 
advantages  of  IP,  such  as  a  distributed 
and  resilient  architecture,  offers  a 
number  of  key  advantages.  When  you 
compared  ShoreTel's  approach  with 
Cisco  and  Avaya,  what  unanticipated 
advantages  did  you  also  discover? 
We  expected  that  we  would  be  facing  a  sig¬ 
nificant  learning  curve  with  any  solution  we 
selected.  Since  we  were  accustomed  to  an 
outsourced  model  —  the  Centrex  system  — 
we  knew  we  would  need  to  build  our  internal 
expertise.  We  anticipated  that  our  actual  bills 
would  be  reduced,  but  we  also  anticipated  a 
need  to  increase  our  support  staff,  train  them 
in  managing  the  system,  and  retrain  all  of  our 
end-users  on  the  operation  of  the  new  sys¬ 
tem.  We  also  expected  to  have  some  degree  of 
reduced  reliability  because  we  viewed  the  new 
VoIP  systems  as  being  more  computer  based, 
and  lacking  the  rock-solid  reliability  that  we  had 
grown  to  expect  with  Centrex.  The  thought  of 
rebooting  our  phone  system  was  naturally  a 
bit  disconcerting,  to  say  the  least.  But,  none  of 
those  anticipated  issues  materialized. 

How  have  you  been  able  to  reduce  the 
level  of  complexity  that  typically  ac¬ 
companies  the  technology  required  to 
operate  a  state-of-the-art  21st  Century 
ballpark? 

We  built  our  park  in  2000  to  be  as  future-proof 
as  possible.  To  achieve  that,  we  prewired 


ADVERTORIAL 


every  conceivable  location  we  thought 
might  eventually  need  a  network  or  phone 
connection.  It  was  a  good  plan  at  the  time, 
but  it  led  to  an  extensive  and  complex  wir¬ 
ing  configuration.  For  the  voice  side  of 
the  equation  with  our  legacy  system,  that 
meant  we  had  to  do  a  lot  of  cable  management 
for  changes  of  phone  locations.  With  our  Sho- 
reTel  VoIP  system,  all  the  moves  and  changes 
are  logical  rather  than  physical.  We  simply  re¬ 
assign  the  telephone  unit  to  a  new  location  or 
user  through  our  management  console.  It's  a 
simple,  browser-based  interface  with  a  view 
of  the  entire  system. 

Our  call  center  was  similarly  complex  because 
it  was  a  legacy  system  that  was  becoming 
increasingly  challenging  to  support  through 
our  Centrex  phone  system.  In  order  to 


easy  integration  with  existing  business 
systems,  and  powerful,  feature-rich  uni¬ 
fied  communications  capabilities.  What 
additional  benefits  have  your  staff  discov¬ 
ered  from  ShoreTel's  flexible  system? 

We  expected  to  devote  significant  time  sending 
our  staff  to  training  classes  so  they  could  learn 
the  administration  functions,  but  that's  been 
totally  unnecessary.  The  ShoreTel  solution  is 
easy  to  use  and  manage,  and  when  the  staff 
has  questions,  they  are  able  to  reach  out  [to 
ShoreTel]  and  get  their  questions  answered. 

Bottom  line:  Like  any  other  IT  component, 
the  most  important  measure  of  success 
for  the  Giants'  communications  system 
is  business  value.  An  intentionally  less- 
complex  system  from  ShoreTel  is  paving 
the  way  for  easy  integration  with  the 


get  even  the  smallest  changes  made,  we 
needed  to  hunt  down  technical  people 
who  were  qualified  to  service  our  outdated 
system.  It  was  expensive,  and  took  a  lot 
of  time  and  effort  just  to  find  the  experts. 
Now,  we're  able  to  make  changes  in  our 
new  call  center  system  through  our  ShoreTel 
management  console.  The  changes  are  easy 
to  make,  and  don't  require  highly  trained 
experts  —  we  handle  all  of  the  changes  and 
updates  internally. 

ShoreTel's  brilliantly  simple  approach  to 
IP-based  communications  offers  many 
benefits  that  standard  server-based 
solutions  cannot  provide,  including  highly 
reliable  switches  and  built-in  redundancy, 


Giants'  internal  systems  such  as  customer 
relationship  management,  which  means 
better  customer  service.  And  let's  not 
lose  sight  of  the  issue  that  started  the 
Giants  down  the  path  to  ShoreTel  —  costs. 
ShoreTel's  proven  return  on  investment 
and  industry-lowest  total  cost  of  owner¬ 
ship  were  strong  differentiators.  What 
other  factors  have  led  to  the  success  of 
your  ShoreTel  deployment? 

Now  that  we've  put  the  ShoreTel  system  in  place, 
we  have  been  able  to  remove  the  complexities 
that  were  limiting  what  we  could  do,  and  we  are 
now  able  to  better  leverage  the  tools  we  have. 
Almost  all  companies  say  that  they  guarantee 
customer  satisfaction,  so  it  almost  sounds  trite. 
But  ShoreTel  really  walks  the  walk. 


Now  that  we've 
put  the  ShoreTel 
system  in  place, 
we  have  been  able 
to  remove  the 
complexities  that 
were  limiting  what 
we  could  do. 
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SPECIAL  FOCUS:  UNIFIED  COMMUNICATIONS 


UC  pays  off  for  engineering  giant  Fluor 


Global  engineering  firm  Fluor  has  invested  $10  million  to  $12  million  in  its  unified  communications 
infrastructure,  which  covers  15,000  IP  telephones  over  30  systems. 


BYJIM  DUFFY 

FLUOR  CORP.  wasn’t  specifically  looking  to 
implement  a  unified  communications  infra¬ 
structure,  but  pressing  telecom  needs  took 
the  engineering  giant  there  anyway. 

Fluor  had  been  a  customer  of  Fujitsu,  which 
exited  the  U.S.  PBX  business  in  2001.  That 
forced  Fluor’s  hand  to  not  only  work  with 
another  vendor  but  also  find  one  that  could 
allow  the  far-flung  company  to  set  up  and  tear 
down  ad  hoc  systems  for  project  teams  on  a 
moment’s  notice. 

“We’re  in  constant  greenfield/mobilization 
deployments,”  says  Gary  Roger  son,  voice 
architect  for  enterprise  voice  services  at  the 
$22  billion  global  engineering,  procurement, 
construction  and  maintenance  services  com¬ 
pany.  “We  constantly  bring  out  new  systems 
and  bring  them  back  and  do  it  over  again, 
every  three  months  to  two  years.” 

Fluor  has  been  working  with  Avaya  since 


2006  and  has  invested  $10  million  to  $12  mil¬ 
lion  in  its  UC  infrastructure.  The  company  has 
about  15,000  mostly  IP  telephones  over  30 
systems,  and  has  implemented  Avaya  Aura 
Session  Manager  to  connect  several  locations 
via  Session  Initiation  Protocol  (SIP)  trunks. 

Avaya  Aura  Session  Manager  is  an  IP-based, 


core  routing  engine  that  enables  centralized 
installation  and  distribution  of  communica¬ 
tions  applications  to  branch,  field,  remote 
offices  and  teleworkers,  eliminating  the  need 
to  install  applications  at  every  location.  This 
is  key  for  Fluor  as  it  establishes  and  then 
decommissions  communications  systems  at 
construction  sites  on  the  fly. 

“Our  focus  is  on  rapid  mobilization  and  de¬ 
mobilization  of  project  sites,”  Rogerson  says. 
The  sites  generally  support  five  to  500  users, 
from  two  months  to  two  years,  and  often¬ 
times  with  very  little  notice.  “We’ve  had  some 
FEMA  [Federal  Emergency  Management 
Agency]  work  that’s  come  up  with  [Hurri¬ 
cane]  Katrina,  where  I  got  called  on  the  week¬ 
end  and  we  had  to  have  a  PBX  up  and  working 
with  1,200  handsets  within  four  days.” 

Trying  to  do  this  for  a  project  site  of  150 
people  with  a  digital  TDM  PBX  would  cost 
$120,000  to  $135,000  vs.  $18,000  to  $20,000 
for  an  IP  PBX,  handsets  and  applications, 
Rogerson  says. 

Even  though  this  kind  of  flexibility  and  cost 
savings  at  the  job  site  was  the  main  catalyst 
for  going  with  an  IP-based  UC  system,  Fluor 
implemented  it  companywide  as  well,  at  its 
Irving,  Texas,  headquarters  and  135  offices 
worldwide.  One  of  the  applications  running 
on  top  of  the  infrastructure  is  ABST’s  Call 
Express  unified  messaging  package,  a  Web- 
based  application  that  connects  the  voice  mail 
systems  of  Fluor’s  45,000  employees. 

With  Call  Express,  users  go  to  one  URL  and 
type  in  the  same  login  used  for  phone  access  to 
get  a  Webmail  interface  that  shows  all  of  their 
fax  and  voice  messages,  Rogerson  says.  They 
also  get  notifications,  with  a  URL,  of  those 
messages  sent  to  their  e-mail.  (Fluor’s  legal 
department  won’t  allow  WAV  file  attachments 
in  e-mails  that  actually  play  back  the  message 
on  a  user’s  computer,  Rogerson  says.) 

Fluor  is  also  looking  at  deploying  IP 
video  on  top  of  its  UC  infrastructure  as  a 


Smooth  skating  for  Buffalo  Sabres’  UC  project 

The  National  Hockey  League’s  Buffalo  Sabres  needed  a  customer-driven  system 
that  facilitates  rapid  response  from  the  team's  account  services  and  ticket  office 
operations. 

“The  business  that  we're  in  relies  so  heavily  on  our  phone  system  that  we  knew  we 
needed  to  be  on  the  cutting  edge,"  says  Dan  DiPofi,  COO  of  the  Buffalo  Sabres. 

Plus,  Fujitsu  exited  the  market,  leaving  the  Sabres  with  an  aged,  obsolete  system  on 
a  copper  infrastructure,  bereft  of  replacement  parts. 

The  Sabres  are  three  years  into  their  $400,000  implementation  of  a  ShoreTel  UC 
system,  which  includes  20  ShoreGear  voice  switches  and  700  IP  phones  connected 
over  fiber.  Integrated  with  the  system  is  the  Sabre’s  CRM  application,  which  displays 
information  about  the  caller  when  the  call  comes  in  to  HSBC  Arena  in  Buffalo,  N.Y. 

Displays  show  relevant  information  on  new  callers 
and  those  already  in  the  database,  so  agents  see 
the  caller’s  level  of  participation  and  can  respond 
appropriately. 

The  Sabres  also  integrated  ShoreTel’s  Personal  Call 
Manager  application  with  Microsoft  Outlook  to  put  all 
of  the  team’s  employees  on  the  same  phone  and  voice 
mail  system.  This  allows  for  integrated  messaging, 
such  as  contact  screen  pop  and  calendar  integration, 
so  that  employees  can  make  calls  from  local  online  directories  with  the  click  of  a  mouse. 

The  system  also  allows  for  a  virtual  office  setup,  DiPofi  says,  in  which  phone  mes¬ 
sages  follow  employees  around  wherever  they  are  —  in  a  fixed  location  or  mobile  — 
and  also  show  up  as  WAV  files  in  e-mails. 

Future  capabilities  of  the  system  the  Sabres  are  contemplating  include  the  ability 
to  queue  callers  to  the  account  services  department  according  to  how  much  business 
they  do  with  the  organization. 

“People  would  have  priorities  based  on  their  status  within  the  organization,”  DiPofi 
says.  “A  suite  holder  spending  a  couple  hundred  grand  a  year  moves  farther  up  in  the 
queue  than  someone  on  hold  inquiring  about  the  circus." 

—  Jim  Duffy 
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Untangle  business  communications  with  brilliant  simplicity. 

Communications  complexity  ends  with  ShoreTel.  Experience  a  simpler,  more  .  ^ I  I'’ 

reliable  way  to  share,  connect,  and  collaborate.  ShoreTePs  brilliantly  simple  | 

IP  phone  system  delivers  true  unified  communications  built  for  the  IP  age.  Easy 

to  integrate.  Easy  to  scale  and  easy  to  manage.  Visit  shoretel.com/untangle  and  Brilliantly  simple 

untangle  your  communications  now. 


TREND  ANALYSIS 


Data  center  upgrades  demand 
immediate  attention 


replacement  for  an  older  videoconferenc¬ 
ing  system  using  older  ISDN  equipment 
and  circuits.  The  impetus  for  this  was  the 
recent  global  recession  and  the  desire  to 
reduce  both  telecom  and  travel  costs, 
Rogerson  says. 

“You  can  really  rack  up  the  charges 
with  ISDN,”  he  says. 

Fluor  is  currently  wrapping  up  its  ini¬ 
tial  deployment  of  Cisco  Tandberg  H.264- 
based  videoconferencing  systems. 

The  company  is  also  deploying  SIP 
trunks  between  its  centralized  Avaya 
Aura  Session  Manager  system  and  a 
mobile  PBX  system  from  Sprint/Nex- 
tel.  This  will  allow  any  Sprint  handset 
used  by  a  Fluor  employee  to  function  as 
an  Avaya  handset,  Rogerson  says,  with 
short  digit  dialing  between  any  phone  on 
the  company’s  IP  network. 

Any  call  on  the  network  will  not  incur 
airtime  charges,  Rogerson  says  -  Sprint 
treats  it  like  a  mobile-to-mobile  call  and 
charges  come  in  a  static  monthly  bill. 

A  drawback  to  the  UC  deployment  is 
that  Avaya  service  and  support  still  seems 
rooted  in  the  old  world,  he  says. 

“There’s  still  an  old  telephony  men¬ 
tality  on  the  service  and  support  side  as 
well  as  some  of  the  architecture  within 
Avaya,”  he  says.  “That’s  been  an  issue  for 
us  because  we’re  a  complete  self-support 
site.  We  have  four  Avaya  engineers,  all 
top-level  certified.  But  we  constantly  run 
into  issues  where  we  don’t  have  access  to 
do  this  or  that  even  though  we’ve  got  the 
highest-level  customer  access.” 

That  glitch,  however,  is  not  stopping 
Fluor  from  expanding  its  implementa¬ 
tion.  Ongoing  plans  include  deploying 
more  SIP  trunks  to  replace  point-to-point 
IP  links,  which  will  augment  DID  routing 
for  a  private  dialing  plan,  Rogerson  says. 

Fluor  has  already  replaced  20  ISDN 
Primary  Rate  Interface  circuits  with  SIP 
trunks  for  a  30%  to  40%  savings,  he  says. 

The  company  is  also  relying  on  SIP  to 
allow  it  to  further  integrate  collaboration 
applications,  such  as  IBM’s  Lotus  Same¬ 
time  and  Domino,  Microsoft  SharePoint, 
OCS  and  Live  office  documents,  and 
Google  Wave  into  its  UC  infrastructure. 

“The  eventuality  is  that  we’ll  have  a 
corporate  Facebook  application  that 
will  [support]  IM  and  desktop  videocon¬ 
ferencing,  integrated  with  click  to  dial, 
e-mail,  and  groups  with  teams  or  projects 
that  you’re  working  on,”  Rogerson  says. 
“It’s  all  one  Web-based  app  that  has  all 
collaborative  tools . . .  with  some  sort  of 
hook-in  to  video  and  voice. 

“I  look  at  UC  as . . .  unified  communica¬ 
tions  and  collaboration,”  he  says.  ■ 


BYT1M  GREENE 

SCHOOL  IS  out  for  summer,  but  it’s  time  for 
IT  executives  to  hit  the  books  to  prepare  for  a 
2011  data  center  refresh  that  will  deliver  cost 
savings  enabled  by  virtualization  and  flatter 
architectures  with  lower  latency. 

Enterprises  need  to  tap  major  data  center 
infrastructure  vendors,  not  necessarily  to 
choose  one  but  to  hear  what  they  propose  and 


Brocade:  With  its  purchase  of 
Foundry,  Brocade  just  announced 
a  data  center  strategy  that  relies 
on  Brocade’s  historic  storage 
strengths  in  combination  with 
Foundry’s  switching  expertise. 

CiSCO:  Holistic  approach 
relies  mainly  on  Cisco-made 
gear  announced  last  year. 

Enterasys:  Freshly  announced 
strategy  that  relies  on  partners  and  is 
anchored  on  limited  switch  offerings. 

HP:  With  its  purchase  of  3Com 
HP  makes  many  of  the  essential 
data  center  elements,  reducing 
the  number  of  vendors  to  deal  with 
and  assuring  interoperability. 

IBM:  A  server-  and  management¬ 
centric  strategy  articulated  last  year 
that  relies  on  resellers  and  OEM 
partners  to  provide  the  network 
infrastructure,  including  Juniper. 

Juniper:  Its  Stratus  Project 
announced  earlier  this  year  relies 
on  server,  storage  and  software 
partners  to  develop  a  data  center 
fabric  that  includes  management, 
storage,  computing  and  switching. 


determine  how  their  proposals  align  with  the 
needs  of  the  company,  says  Tom  Nolle,  presi¬ 
dent  of  tech  consulting  firm  CIMI  Corp. 

“The  2011  data  center  refresh  will  be  the 
most  complicated  thing  ever  attempted  by 
enterprises,”  Nolle  says.  Reading  proposals 
from  data  center  vendors  is  the  best  way  for 
decision  makers  to  educate  themselves  about 
the  real  architecture  issues,  he  says.  So  far, 
education  is  lacking. 

Based  on  CIMI  surveys,  general  ignorance 
about  data  center  issues  is  high.  Ideally,  tech¬ 
nology  literacy  should  be  identical  whether 
a  business  has  a  related  project  underway  or 
not,  Nolle  says.  That  way,  potential  customers 
are  informed  even  if  they  have  no  immediate 
need  for  the  technology. 

But  in  the  case  of  data  centers,  there  is  a  70% 
difference  in  literacy  between  those  who  have 
no  ongoing  data  center  projects  and  those  who 
do,  he  says.  So  businesses  just  beginning  to 
plan  data  center  projects  have  a  steep  learn¬ 
ing  curve,  especially  if  they  plan  to  make  a 
purchase  near-term. 

“That  means  you’re  flying  by  the  seat  of 
your  pants,  and  the  decision-making  pro¬ 
cess  will  be  stressful,”  Nolle  says.  “That’s  a 
tough  position  to  be  in  when  management  is 
demanding  success  and  ROI.” 

However,  the  urgency  to  make  decisions 
may  not  be  as  great  as  Nolle  projects,  suggests 
Zeus  Kerravala,  an  analyst  with  the  Yankee 
Group.  Redesigning  and  building  virtualized 
data  centers  are  major  projects  that  warrant 
time  spent  choosing  the  right  alternative. 
Mainstream  adoption  might  not  occur  until 
2012  or  2013,  he  says.  “It  needs  to  be  proven 
that  it  works,  and  that’s  a  big  leap  of  faith  right 
now,”  he  says. 

One  indicator  of  customer  commitment  to 
data  center  upgrades  is  what  they  spend  on 
data  center  switches,  says  Matthias  Machow- 
inski,  an  analyst  with  Infonetics.  Sales  of  data 
center  switches  worldwide  were  $3.2  billion  in 
2009  and  are  projected  to  be  $3.7  billion  this 
year.  The  average  growth  from  2009  to  2014  is 
expected  to  be  10%  per  year. 

That  may  not  seem  like  extraordinary 
growth,  but  during  the  same  time  period,  the 
price  of  lOGbps  ports  are  expected  to  drop, 
so  total  revenue  growth  registers  a  lower  rate 
than  growth  in  numbers  of  ports,  he  says. 
Infonetics  projects  8  million  lOGbps  ports 
will  ship  in  2010  and  14  million  in  2014. 

Regardless,  the  technology  is  complicated 
►  Sec  Datacenter,  page  25 
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Two  leading  IT  strategy 
experts  from  MIT  on  what 
CIOs  need  to  know  about  the 
opportunities — and  threats— 
of  a  world  where  evolving 
technology  enables  compa¬ 
nies  not  only  to  be  smarter, 
but  to  act  smarter,  too 


(Then  Put  It  Everywhere) 


From  the  Editor-in-Chief,  MIT  Sloan  Management  Review 


Smart  companies  are  racing  to  find  new  ways  to 
capitalize  on  exponentially  increasing  computer 
power,  storage  capacity,  communications  speed, 
and  “smart-world”  instrumentation.  They’re  finding  bet¬ 
ter  ways  to  make  innovation  happen  every  day. 


But  the  key,  says  Jeanne  Ross,  is  for  companies  to  start  by  ignoring 
technology. 

Really,  she  says.  Ignore  it. 

Strange  advice,  coming  from  the  director  and  principal  research  sci¬ 
entist  at  the  Center  for  Information  Systems  Research  at  the  MIT  Sloan 
School  of  Management.  But  that’s  the  best  way  to  let  IT  work  for  you,  she 
says.  Companies,  Ross  argues,  need  first  to  figure  out  what  kind  of  value 
they  want  to  create  before  they  can  usefully  consider  how  IT  can  help 
them  create  it.  They  need  to  trust  themselves — and  trust  technology 
and  their  CIOs — to  work  backwards  from  the  vision  of  how  they  want  to 
operate  and  what  they  want  to  be. 

Moreover,  it  doesn’t  matter  whether  your  business  is  science-oriented, 
tech-oriented,  media-oriented,  people-oriented,  or  far-off-the-grid- 
oriented.  Andrew  McAfee,  research  scientist  at  the  Center  for  Digital 
Business  at  the  MIT  Sloan  School,  says  that  if  you’re  not  now  using  data 
and  scientific  analysis  to  back  up  intuition  when  making  a  decision,  you 
soon  will  be. 

The  following  conversations  with  Ross  and  McAfee  make  up  the  first 
in  a  series  of  special  editorial  sections  created  by  the  editors  of  MIT 
Sloan  Management  Review  as  they  explore  the  shape  of  “The  New  Intel¬ 
ligent  Enterprise.”  The  goal  of  the  series  is  to  provide  strategic  insights 
to  IT  leaders  about  how  to  address  the  challenges  and  opportunities  pre¬ 
sented  by  the  ever-evolving  nature  of  what  technology  can  do.  This  first 
section  draws  on  the  expertise  of  leading  MIT  faculty  members;  coming 
sections  will  feature  insights  from  top  corporate  executives. 


—  Michael  S.  I  lopkins, 
Editor-in-Chief,  MIT  Sloan  Management  Review 


Building  the  engines  of  a  Smarter  Planet: 


Five  ways  midsize  businesses  can 
create  a  more  dynamic  infrastructure. 

As  new  opportunities  emerge  on  a  smarter  planet,  midsize  businesses  are  uniquely  positioned  to  seize  them. 
They  are  the  engines  of  a  smarter  planet,  leveraging  their  size  to  move  more  nimbly  and  drive  innovation.  It  starts 
with  smarter  technology-a  dynamic  infrastructure  that  connects  IT  to  all  of  the  digital  and  physical  assets  of  the 
entire  business.  Midsize  companies  are  building  a  more  dynamic  infrastructure  with  the  IBM  HS22  and  HS22V 
Express®  blade  servers-helping  them  increase  performance  and  consolidate  resources,  while  reducing  costs 
and  energy  use.  Let  IBM  and  our  Business  Partners  show  you  how: 


Prepare  for  growth 

with  smart,  scalable 
and  cost-effective 
solutions. 


Look  closer  with  IBM  Systems 
Consolidation  Evaluation  Tool  to 
compare  your  current  infrastructure 
with  where  you  want  to  go. 


'Prices  are  current  as  of  2/8/1 0  and  are  subject  to  change  without  notice.  Manufacturer's  suggested  retail  price;  dealer  prices  may  vary.  Minimum  transaction  size  is  $5,000;  monthly  payments  are  estimates  based  on  lease  rates  for  installations 
of  qualified  products  and  services  in  the  United  States.  Actual  rates  may  vary  based  on  your  creditworthiness,  configuration  details,  etc.,  and  are  subject  to  credit  approval  by  IBM  Credit  LLC.  For  some  clients,  total  software  and  services  are 
limited  to  75%  of  hardware  financed.  Other  conditions  may  apply,  so  please  contact  your  IBM  Authorized  Business  Partner  or  IBM  representative  tor  more  Information.  'Return  on  investment  and  power  savings  calculation  based  on  11:1 
consolidation  ratio  scenario  of  166  Intel  1U  2  socket  servers  to  14  BladeCenter  HS22  servers  and  savings  in  energy  costs,  software  license  fees  and  other  operating  costs.  Actual  casts  and  savings  will  vary  depending  on  individual  customer 
configurations  and  environment.  For  more  information,  visit  www.ibm.com/smarterplanet/claims.  IBM.  the  IBM  logo,  ibm.com,  Express  Advantage,  Express,  BladeCenter,  Smarter  Planet  and  the  planet  icon  are  trademarks  ot  International  Business 
Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com./legal;copytrade.shtml. 
Intel,  the  Intel  logo,  Xeon  anti  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©  International  Business  Machines  Corporation  2010.  All  rights  reserved. 


Do  more  with  less.  IBM  HS22 
Express  Server  and  BladeCenter® 
S  Express  chassis  with  integrated 
storage  and  networking,  priced 
specifically  for  midsize  companies 
from 

$163 

per  month  for  48  months.1 


Powerful. 

Intelligent. 

v _ / 


Reduce  energy  costs 

by  up  to  93%  versus  previous- 
generation  rack  servers.  Learn 
how  you  could  see  a  return 
on  your  investment  in  under 
12  months? 


Dial-up  efficiency  and 

performance  with  the  IBM 
HS22  Express-a  server 
featuring  the  Intel®  Xeon® 
processor  5500  series. 


Midsize  businesses  are  the  engines  of  a  Smarter  Planet. 

The  IBM  Express  Advantage™  Concierge  can  connect  you  to  the  right  IBM 
Business  Partner.  Call  877-IBM-ACCESS  or  visit  ibm.com/systems/more 
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JEANNE  ROSS 

Why  Heroes  are  Bad 

MIT  technology  strategist  Jeanne  Ross  tells  why  technology  will  underpin 
everything,  become  a  bigger  business  driver  than  ever,  and  lift  the  significance 
of  the  CIO — but  shouldn't  be  the  first  thing  an  organization  thinks  about. 


Jeanne  Ross 


CIOs  will  become 
business  process 
engineers.  And 
IT  managers  are 
perfectly  posi¬ 
tioned  to  do 
this  because 
their  entire  lives 
have  been  spent 
understanding 
processes 
as  they've 
implemented 
technology  to 
support  them. 


CIOs  are  now  asked  not  only  to  ensure  that  IT  works 
seamlessly  while  cutting  costs,  but  also  to  drive 
growth.  What  changed? 

Several  things.  What  tends  to  happen  is  that  non- 
CIOs  running  an  organization  look  at  competitors 
and  start  to  get  their  arms  around  what  information- 
related  innovations  are  possible.  They  don’t  fully  see 
the  opportunities,  but  they  see  that  what’s  ahead  is 
going  to  be  an  IT-driven  phenomenon.  They  decide 
that  their  current  data  won’t  get  them  there.  And  they 
turn  to  the  CIO  and  say,  “Fix  it.”  Or  a  company  has 
made  an  acquisition  and  they’ve  been  talking  about 
cost  savings,  as  well  as  promising  new  services  to 
customers.  They  bring  the  new  company  on  and  say, 
“Well,  how  are  we  going  to  make  this  happen?” 

It  used  to  be  that  a  lot  of  people  found  operations 
uninteresting.  But  there’s  been  a  slow  recognition 
that  success  is  not  just  about  finance,  say,  or  build¬ 
ing  the  right  portfolio  of  companies.  It’s  about  getting 
operations  right. 

And  IT  becomes  the  path  to  operations  success? 
Actually,  I  think  companies  are  better  off  not  think¬ 
ing  about  technology.  Stop  framing  it  as,  “What  will 
technology  let  me  do  and  then  I’ll  figure  out  what  I 
want  to  do  with  my  business.”  You  used  to  have  to  do 
that,  but  you  don’t  anymore.  Now  you  can  imagine 
how  you  want  to  run  your  business  and  then  ask  how 
technology  can  get  you  there. 

At  this  point,  if  there’s  something  you  really  want 
to  do,  somebody  will  be  able  to  help  you  find  a  technol¬ 
ogy  that  will  do  it.  And  it  will  probably  be  affordable. 
The  more  fundamental  question  is  a  matter  of  sitting 
down  with  the  smart  people  that  are  already  inside 
the  company  and  asking,  “I  low  can  we  operate?”  This 
is  a  decision  you  have  to  make.  You  have  to  put  a  stake 
in  the  ground  and  start  building  a  foundation  for  it. 

But  you're  an  IT  person,  and  it  sounds  like  you're 
saying  IT  is  secondary. 

Yes,  I  am  telling  you  to  ignore  the  technology.  “Ignore” 


is  a  strong  a  word,  but  because  people  are  so  crazy 
about  IT  now,  I  think  it’s  the  right  advice.  Ignore  the 
technology.  Think  about  how  you  would  like  to  run 
your  business. 

What's  the  role  of  CIOs,  then?  What  should  they  be 
doing  to  ensure  they  play  a  valuable  strategic  role 
in  leading  companies  to  capitalize  on  what  IT  now 
can  do? 

The  CIO  will  continue  to  have  responsibility  for 
technology  because  somebody  has  to  be  thinking 
about  what’s  possible  and  what  experiments  to  run. 
Marketing  people  can  do  this,  but  they’re  usually 
more  comfortable  if  they  have  a  technologist  work¬ 
ing  with  them. 


To  enhance  a  company’s  strategic  decision  mak¬ 
ing,  though,  the  most  important  thing  CIOs  can  do  is 
to  provide  clarity  around  the  operating  model.  It  used 
to  be  that  IT  managers  did  whatever  each  individual 
business  unit  manager  wanted.  Now  they’re  saying, 
“IT  is  about  how  we  function  as  an  enterprise.”  Even 
though  you  wouldn’t  think  that’s  new  anymore,  it’s 
like  they’ve  learned  it  again.  The  big  evolution  for 
CIOs  will  be  the  ways  they  take  on  responsibility  for 
business  processes  in  organizations.  'They  need  to 
become  business  engineers.  It’s  a  special  skill  set  to 
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Managing  change 
of  behavior  is 
much  bigger 
than  managing 
change  of  the 
technology. 


figure  out  how  to  bring  together  a  company’s  whole 
portfolio  of  existing  skills  in  IT  and  in  the  business 
and  how  to  engineer  processes  that  are  implement- 
able  and  valuable.  It’s  really  hard. 

But  IT  managers  are  perfectly  positioned  to  do  this 
because  their  entire  lives  have  been  spent  understand¬ 
ing  processes  as  they’ve  implemented  technology  to 
support  them.  IT  people  now'  talk  about  “our  level  one 
processes”  and  “our  level  two  processes.”  They  have 
that  recognition  of  what  technology  capabilities  have 
to  be  built  underneath  things. 


you  to  accept  that  it  will  happen  much  slower  than 
you  want. 

The  most  important  thing  for  CIOs  to  do  is  to  find 
high  impact  things  to  do  near-term  while  they’re 
pursing  the  longer-term.  Find  one  thing  the  company 
can  do  now  that’s  going  to  make  a  difference  and  get 
the  momentum  going.  That  is  a  gift.  Not  all  CIOs  can 
do  it.  Their  inclination  is  just  to  say,  “Oh,  my  God,  this 
is  such  a  mess.  Here’s  the  five-year  plan.” 

Managing  change  of  behavior  is  much  bigger  than 
managing  change  of  the  technology. 


As  IT  leaders  become  end-to-end  business  engi¬ 
neers,  creating  new  collaboration  across  units,  what 
business  benefits  have  you  seen  result? 

There  are  many.  One  critical  one  is  that  data  sharing 
across  units  enables  a  company  to  present  a  single 
face  to  the  customer.  Increasingly,  global  companies 
are  insisting  that  their  suppliers  provide  a  single 
point  of  contact  for  sales  and  support.  Companies  that 
can’t  share  customer  and  product  data  find  it  difficult 
to  meet  this  type  of  customer  demand. 

To  recap:  you're  saying,  Ignore  IT  and  design  the 
business  operation.  But  you're  also  saying,  You 
know  who's  good  at  this?  The  person  who's  spent 
all  his  or  her  time  thinking  about  IT. 

You’re  right.  And  the  biggest  dilemma  is  that  if  I’m 
CIO  and  you  tell  me  exactly  how  you’d  like  the  busi¬ 
ness  run,  my  job  is  to  admit  that  our  existing  technol¬ 
ogy  is  an  obstacle,  map  out  a  new  direction,  and  get 


Is  there  a  behavior-change  challenge  that  organiza¬ 
tions  especially  face? 

As  we  steer  toward  more  automation,  more  stan¬ 
dardization  across  the  enterprise,  more  data  sharing, 
we’re  increasingly  going  to  have  to  stop  people  from 
performing  heroics  in  the  workplace.  We  used  to  rely 
on  people  to  be  heroes.  We’d  say,  “Do  something  bril¬ 
liant  and  whatever  the  customer  wants.”  That’s  just 
not  going  to  work  in  today’s  world.  Because  we  need 
things  that  work  across  the  enterprise,  and  heroism 
is  too  unpredictable.  When  the  right  hand  doesn’t 
know  what  the  left  hand’s  doing,  it  just  messes  up  ev¬ 
erybody  else.  Your  heroics  become  my  problem. 

So  heroics  are  out.  What’s  in  is  a  conception  of 
the  organization  and  you  as  a  team.  If  you  have  to  do 
something  heroic,  you  better  make  sure  everybody 
knows  what  you  just  had  to  do.  As  companies  get  bet¬ 
ter  and  better,  they’ll  call  for  those  heroic  behaviors 
less  and  less. 


Redefining  X. 

When  an  organization  needs  more  computing  power  for  today’s  memory-intensive 
workloads,  the  conventional  wisdom  is  to  buy  more  servers.  This  can  lead  to  massive 
inefficiency  and  server  sprawl,  with  the  majority  of  servers  today  running  at  only  10% 
utilization!  As  the  computational  demands  of  a  smarter  planet  continue  to  explode, 
this  sort  of  inefficiency  has  become  a  problem— a  problem  IBM  engineers  have  now 
solved.  The  5th  generation  of  Enterprise  X-Architecture*  from  IBM  featuring  the  Intel® 
Xeon®  Processor  7500  Series  lets  you  add  memory  independently  of  the  processor. 
As  a  result,  IBM  eX5  systems  can  leverage  6x  more  memory  than  current  x86  servers, 
reduce  storage  costs  by  up  to  97%  and  cut  licensing  fees  by  50%? 

A  smarter  business  needs  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/systems/ex5 


1 .  McKinsey  study:  httpy/www.datacenterknowledge.com/archives/2009/04/1 5/mckinsey-data-centers-cheaper-than-cloud/.  2.  Comparison  of  IBM  System  x3850  X5  +  MAX5  with  total  96  DIMMs  x  1 6  GB  for  total  1 .5  TB  of  memory 
vs.  IBM  System  x3850  M2  with  32  DIMMs  x  8  GB  =  256  GB.  Comparison  of  processor-based  licensing  fees  on  current  Generation  4  processor  systems  with  64  DIMMs  vs.  the  IBM  System  x3690  +  MAX5.  IBM  eXRash  technology  would 
eliminate  the  need  for  a  client  to  purchase  two  entry-level  servers  and  80  JBODs  to  support  a  240,000  lOPs  database  environment,  saving  up  to  97%  in  server  and  storage  acquisition  costs.  IBM,  the  IBM  logo,  ibm.com,  X-Architecture, 
Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml. 
Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries.  ©  International  Business  Machines  Corporation  2010. 
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ANDREW  McAFEE 

The  Scientific  Mindset 

Of  all  the  ways  that  changing  technology  capabilities  will  remake  organi¬ 
zations,  says  MIT's  Andrew  McAfee,  none  is  as  big  as  the  transition  from 
intuition-based  decision  making  toward  an  approach  based  on  science. 


Andrew  McAfee 


As  one  former  CEO 
of  a  tech  giant 
told  me:  'If  only 
we  knew  what 
we  know,  we'd 
be  three  times  as 
productive.'  When 
work  takes  place 
only  within  silos, 
there's  going  to  be 
a  lot  of  redundancy 
and  waste. 


Copyright  ©Massachusetts 
Institute  of  Technology,  2010. 
All  right  reserved. 


What's  the  most  significant  management  shift  that 
evolving  IT  capabilities  will  drive? 

It’s  really  hard  to  understand  what  new  possibilities 
have  opened  up  and  what  important  constraints  are 
gone  because  of  the  cornucopia  of  technology  that 
we’re  sitting  on.  One  of  the  biggest  changes  is  that 
when  you  have  this  unbelievable  amount  of  comput¬ 
ing  horsepower  and  a  mass  of  data  to  apply  it  to,  you 
can  be  a  lot  more  scientific  about  things.  You  can  be 
more  rigorous  in  your  analysis.  You  can  generate 
and  test  hypotheses.  You  can  adopt  a  much  more 
scientific  mindset. 

If  you  don’t  try  to  migrate  your  company  and  your 
decision-making  in  that  direction,  you’re  missing  out 
on  a  huge  opportunity,  and  you  had  better  hope  your 
competition  is  also  not  moving  in  that  direction.  Be¬ 


cause  when  you  compare  scientific  to  pre-scientific 
approaches,  there’s  one  clear  winner  over  and  over. 

What  actions  should  IT  managers  take  to  ensure 
they  prove  valuable  in  their  organizations  as  leading 
drivers  of  the  transition  to  the  "scientific"  Intelligent 
Enterprise? 

IT  leaders  can  do  two  important  things.  First,  they 
can  explain  to  their  business-side  colleagues  both 
why  and  how  information  technologies  are  changing 
the  company  and  competition — in  other  words,  how 
enterprises  are  becoming  more  scientific  thanks  to 
technology.  Second,  they  can  help  their  colleagues 
make  important  decisions  by  presenting  and  explain¬ 
ing  available  options  and  making  recommendations. 
The  technology  landscape  is  constantly  chang¬ 
ing,  and  is  alien  and  confusing  to  lots  of  executives. 
IT  leaders  can  help  them  by  presenting  technology 
options,  discussing  them  in  business  terms,  and  es¬ 
sentially  reducing  a  seeming  infinity  of  tech  choices 
down  to  a  small  set  of  business  decisions. 

A  lot  has  been  said  about  IT's  unique  span-the- 
silos  role  in  organizations.  What  business  benefits 
have  you  seen  result  from  IT-driven  increased 
collaboration  among  business  units  (or  among 
business  roles)? 

As  one  former  CEO  of  a  tech  giant  told  me:  “If  only 
we  knew  what  we  know,  we’d  be  three  times  as  pro¬ 
ductive.”  When  work  takes  place  only  within  silos, 
there’s  going  to  be  a  lot  of  redundancy  and  waste. 

It’s  also  going  to  be  hard  to  locate  the  people  who 
could  be  good  colleagues — who  could  solve  a  prob¬ 
lem,  answer  a  question,  make  an  introduction,  etc. 
The  IT  function  is  responsible  for  the  only  corporate 
asset  that  spans  the  entire  company:  the  technology 
infrastructure.  So  IT  leaders  should  absolutely  be  in 
the  vanguard  of  those  driving  better  collaboration. 
They  should  be  spreading  the  gospel  that  a  more  col¬ 
laborative  application  is  a  more  productive  organiza¬ 
tion,  and  helping  a  company  to  know  what  it  knows. 


mum 


NETINSIDER  BY  SCOTT  BRADNER  illlllfl!ll!!llii!llltillll!lllllili]l!lliii!lllltl 

SCO:  So  die  already! 


ANOTHER  SHOE  has  dropped  for  the  SCO 
Group  —  this  makes  about  a  dozen  —  but 
when  will  this  outfit  go  away? 

First  the  SCO  Group  sues  IBM  for  billions 
in  a  case  related  to  alleged  intellectual  property  infringement,  and  then 
it  starts  threatening  Linux  and  Linux  users.  Then,  after  Novell  says 
that  the  SCO  Group  does  not  have  the  rights  needed  to  sue  and  threaten, 
it  goes  ahead  and  sues  Novell  anyway.  Since  then  it  has  been  mostly 
downhill  for  the  SCO  Group. 

After  enriching  many  a  law  firm,  part  of  the  case  finally  made  it  in 
front  of  a  judge.  That  judge  ruled  that  the  SCO  Group  had  no  clothes, 
nor  did  it  have  the  rights  to  Unix. 

The  SCO  Group  did  not  die.  Instead,  it  appealed  and  got  a  reprieve, 
and  a  jury  trial.  The  jury  agreed  with  the  first  judge  about  the  lack  of 
coverage  but  the  SCO  Group  still  did  not  die  and  appealed  again.  Now 
the  judge  hearing  the  appeal  has  ruled  that  the  jury  (and  the  first  judge) 
got  it  right  and  that  the  SCO  Group  has  nothing  to  hide  behind.  Will 
The  SCO  Group  take  the  hint  this  time  and  die  already?  Stay  tuned. 

The  whole  saga  has  been  covered  with  remarkable  tenacity,  accuracy 
and  clarity  by  Pamela  Jones  at  Groklaw. 

The  SCO  story  was  never  about  obtaining  just  rewards  for  hard 
work  or  about  protecting  SCO’s  intellectual  property.  The  SCO  Group 
wanted  billions  of  dollars  from  IBM  for  work  that,  assuming  all  of  the 
SCO  Group’s  claims  had  been  accurate,  SCO  only  spent  a  few  million 
dollars  developing  and  were  only  able  to  realize  a  few  million  from  its 
own  products.  A  thousand  to  one  or  so  return  on  investment  is,  by  any 


rational,  a  bit  more  than  a  just  reward. 

If  it  had  been  about  protecting  intellectual  property  the  SCO  Group 
would  have  told  the  world  what  property  had  been  stolen  and  the  open 
source  community  would  have  quickly  stopped  using  it. 

It  is  quite  clear  that  the  leaders  of  the  SCO  Group  had  developed  a 
business  strategy  of  trying  to  get  the  courts  to  help  extract  “exorbitant 
fees”.  SCO’s  leaders  were  willing,  maybe  even  eager,  to  destroy  the  open 
source  culture  to  enrich  themselves. 

You  might  think  from  the  above  diatribe  that  I  am  against  all  enforce¬ 
ment  of  intellectual  property,  but  you  would  be  wrong.  I  do  find  it  a 
distortion  of  justice  that  a  company  can  spend  hundreds  of  millions  of 
dollars  developing  a  game-changing  product  and  have  it  copied  a  few 
months  later  by  other  companies  who  have  nothing  original  to  offer 
society.  I  also  find  it  counter-productive  for  inventors  to  not  be  reason¬ 
ably  rewarded  for  actual  inventions. 

The  SCO  Group  showed  what  can  go  wrong  when  some  types  of 
people  use  intellectual  property  rights  (IPR)  as  a  weapon  in  a  lawyer- 
rich  (or  is  that  rich-lawyer)  world.  But  the  excesses  of  the  SCO  Group 
must  not  obscure  the  fact  that  there  are  wronged  intellectual  property 
holders  who  should  be  made  right. 

Disclaimer:  Harvard  has  IPR  (including  IPR  on  a  mouse)  so  is  likely 
to  have  an  interest  in  this  topic.  But  I  do  not  speak  for  the  university,  nor 
do  I  know  what  it  would  say  if  it  spoke  for  itself. 

Bradner  is  Harvard  University’s  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com 


►  Data  center,  from  page  16 

and  vendor  offerings  are  different  enough  to 
make  decisions  challenging.  Kerravala  says 
the  choices  vendors  offer  are  more  different 
vendor-to-vendor  than  they  have  been  for 
past  technologies.  “It’s  unlike  what  network¬ 
ing  has  been  for  a  long  while  —  Cisco  led  and 
others  were  either  cheaper  or  faster,”  he  says. 

Enterasys  hangs  its  data  center  strategy 
on  well-known  partners,  but  anchors  it  on  its 
own  switches  and  the  ability  to  manage  based 
on  preset  policies. 

This  means  it  relies  on  interoperability 
with  virtualization  software  from  vendors 
including  Citrix,  Microsoft  and  VMware,  as 
well  as  server  and  storage  vendors  including 
Dell,  HP  and  IBM.  With  input  gathered  from 
these  other  vendors,  Enterasys  will  support 
visibility  into  data  center  functions  as  well 
as  set  automated  policies.  These  policies  can 
allocate  better  access  to  priority  applications 
as  determined  by  business  needs. 

The  plan  will  be  fleshed  out  over  the  coming 
months,  including  the  specifics  of  the  partner¬ 
ships  that  will  make  it  fly,  the  company  says. 

Key  to  the  Enterasys  architecture  is  the 
ability  of  its  S-series  switches  to  authenti¬ 
cate  applications  and  apply  policies  to  them 
regardless  of  the  port  they  connect  to.  These 
policies  can  include  factors  such  as  QoS, 
bandwidth  and  access  control. 

Brocade’s  approach,  called  Brocade  One, 
relies  on  a  virtual  access  layer  (VAL)  that 


links  typical  data  center  resources  where  they 
reside  via  software  rather  than  via  physical 
deployment  and  proximity.  VAL  imposes  QoS 
policies.  A  second  component  is  called  vir¬ 
tual  cluster  switching  (VCS),  which  enables 
managing  the  virtual  switch  as  a  single  logi¬ 
cal  Ethernet  multipath  switch  that  is  lossless 
and  low-latency.  The  goal  is  to  support  IEEE 
standards  for  virtual  bridging. 

As  virtual  machine  topologies  form  to  meet 
demand,  VCS  makes  sure  that  each  VM  gets 
the  appropriate  port  profile  regardless  of 
where  the  VM  is  located. 

Brocade  hardware  announced  this  month 
relies  on  a  new  operating  system  called  Bro¬ 
cade  Network  OS  (BNOS),  which  can  converge 
Fibre  Channel  and  IP  onto  a  Linux  core. 

Meanwhile,  Cisco,  HP  and  Juniper  all 
announced  their  strategies  earlier,  but  each 
has  its  own  variations.  Cisco’s  Unified  Com¬ 
puting  System  (UCS)  creates  a  well-integrated 
environment  of  virtual  servers,  storage,  appli¬ 
cations  and  networking  with  some  reliance  on 
support  from  vendors  including  EMC,  Micro¬ 
soft,  VMware  and  Novell. 

UCS  relies  on  a  data  center  fabric  that  can 
handle  storage-area  networks,  network- 
attached  storage  and  iSCSI,  creating  opportu¬ 
nities  to  save  costs  by  reducing  provisioning 
time,  more  efficient  management  and  reduced 
power  costs. 

Cisco  plans  to  sell  UCS  as  a  system,  locking 
customers  in  to  the  vendor  for  more  of  their 


data  center  infrastructure.  That  may  not  be 
much  of  a  concern.  Nolle  says,  based  on  recent 
surveys  by  his  company.  “Enterprises  are  less 
interested  in  best-of-breed  than  they  used  to 
be,”  he  says.  “They’re  more  interested  in  hav¬ 
ing  a  single  point  of  contact.” 

The  reason  for  the  shift  is  that  despite  black¬ 
box  performance  testing  of  individual  devices, 
the  performance  differences  in  the  real  world 
are  not  noticeable,  he  says.  The  bigger  draw 
for  customers  is  if  a  vendor  addresses  high- 
level  architectural  issues  effectively,  he  says. 

Juniper  has  also  been  in  the  data  center 
game  for  a  while  and  in  February  announced 
its  Strat  us  project  with  other  vendors  to  blend 
management,  storage,  computing,  switching, 
networking  and  appliances.  The  company  is 
focused  on  cutting  latency  tenfold,  boosting 
reliability  and  beefing  up  virtual  security. 

HP,  with  its  purchase  of  3Com,  has  many  of 
the  elements  needed  to  upgrade  data  centers, 
Kerravala  notes.  With  its  roots  in  Asian  mar¬ 
kets,  the  company  can  be  expected  to  develop 
its  own  technologies  rapidly  as  needed  and  at 
a  low  price,  he  says. 

In  evaluating  vendors,  the  major  issues 
decision-makers  should  address  include: 
How  does  cloud/virtualization  fit  in?  What 
are  the  effects  on  operational  costs  and 
support?  How  significant  is  real-time  com¬ 
munications  within  the  data  center?  How 
compatible  is  the  data  center  with  a  multi¬ 
vendor  environment?  ■ 
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TOOLS 


IT  asked 
and  answered 

Ron  Nutter  and  Steve  Blass 

tackle  your  tough  tech  questions 

at  tinyurl.com/yg2o434 


Wikipedia  in  your  pocket 


any  people  are  dismissive  of 

Wikipedia.  For  example,  in  2005, 
as  quoted  in  the  Ideas  in  Action 
blog,  Robert  McHenry,  a  former 
editor-in-chief  of  the  Encyclopedia 
Britannica,  argued:  “Many  revi¬ 
sions,  corrections,  and  updates 
are  badly  done  or  false.  There  is  a  simple  reason  for 
this:  Not  everyone  who  believes  he  knows  something 
about  Topic  X  actually  does;  and  not  everyone  who 
believes  he  can  explain  Topic  X  clearly,  can.” 


Mark  Gibbs’  Gearhead 


Even  so,  from  various  comparative  content 
reviews  such  as  the  one  that  was  conducted  by 
Nature.com  in  2005  (as  reported  on  Arstech- 
nica)  it  would  seem  that  the  error  rates  of 
Wikipedia  and  Britannica  were  remarkably 
close,  with  Britannica  only  slightly  in  the  lead: 
‘Working  from  a  statistically  small  sample  of 
42  randomly  chosen  science  articles . . .  Wiki¬ 
pedia  had  33  percent  more 
errors,  with  162  ‘factual 
errors,  omissions  or  mis¬ 
leading  statements,’  as 
compared  to  123  for  Britan¬ 
nica.  In  terms  of  egregious 
errors  involving  inaccu¬ 
rately  explained  concepts 
or  misinterpretations  of 
data,  the  experts  found  four 
instances  in  each  of  the  two 
encyclopedias.” 

The  takeaway  from  all 
this  wrangling  is  that  no 
matter  what  ‘pedia  you  use, 
you  always  have  to  cross 
check  your  sources. 

Whether  you  love  it  or  hate  it,  Wikipedia  is 
immensely  useful  and  its  scope,  currently  some 
3,322,838  articles,  makes  it  about  15  times  larger 
than  Britannica.  It  is  also  a  crucial  resource 
when  it  comes  to  answering  trivia  questions. 
(Read  more  about  Wikipedia,  page  41.) 

Better  yet,  it  is  convenient.  For  example, 
sometimes  going  online  to  resolve  a  crucial 


issue  such  as  the  birthday  of  Led  Zepplin’s 
Jimmy  Page  (Jan.  9, 1944)  or  what  is  the  more 
usual  name  for  the  West  African  primate 
called  the  “softly-softly”  (the  “potto”)  is  just 
too  much  aggravation  or  impossible  if  you 
happen  to  be  in  the  middle  of  the  Kenyan  rain 
forest.  This  is  where  the  WikiReader  from 
Openmoko  might  be  extremely  useful. 

At  just  4  inches  square 
and  3/4  inch  thick  and 
weighing  next  to  nothing, 
this  dedicated  device  is 
tiny.  Its  two  AAA  batteries 
will  last  for  months  and  its 
monochrome,  touch-sensi¬ 
tive  screen  is  not  bad  at  all 
even  in  daylight. 

What’s  interesting  is 
that  the  WikiReader  has 
just  four  buttons:  Power, 
search,  history  and  ran¬ 
dom  (I  could  live  without 
the  “random”  button). 

When  you  press  “search” 
you  get  an  on-screen  key¬ 
board  to  enter  your  search  text  (this  is  a  little 
on  the  small  side  so  those  of  us  with  fat  fin¬ 
ger  syndrome  have  to  be  careful)  and  as  you 
enter  each  letter  a  list  of  matches  appears 
giving  you  a  clue  about  possible  hits ...  nice. 
When  you  see  a  result  that  looks  like  it  fits 
your  query,  you  just  press  the  on-screen 
►  See  Gearhead, page  2 7 


No  matter  what 
’pedia  you  use, 
you  always 
have  to  cross 
check  your 
sources. 


=  Can  you  tell  me  what  is  the 
3  best  site  for  Cisco  certifi- 

™  cations  exam  training. 

~  §  There  is  no  one  site  that  is 

™  the  best  for  Cisco  certification 
zz  info.  The  one  I  would  start  with  is 
https://learningnetwork.dsco. 
com.  You  will  find  a  host  of  forums 
targeted  at  each  of  the  certifica- 

—  tions  and/or  exams.  You  will  also 
find  several  study  groups  where 
you  can  ask  questions.  As  you  go 

zz  into  the  different  forum  areas, 
zz  you  will  also  see  documents  being 
posted  that  go  into  more  detail  on 
some  of  the  areas  that  the  various 

—  books  available  don’t  cover  in 
~  the  kind  of  detail  you  need. 


I'm  making  the  move  to  a 
MacBook  Pro.  One  of  the  chal¬ 
lenges  is  what  program  to  use 
for  console  access  to  Cisco 
gear.  Because  the  MacBook 
also  doesn’t  have  a  serial  port, 

I  know  I’ll  need  to  use  some 
type  of  USB  to  Serial  converter. 

Q  Let’s  tackle  the  USB  to  Serial 
Converter  question  first.  Although 
there  are  several  models  to 
choose  from,  I  have  been  pleased 
with  the  Keyspan  USA-19HS  USB 
to  Serial  converter.  It  handles  all 
of  the  RS232  handshaking  you’ll 
need  to  work  with.  Depending 
on  when  you  got  your  MacBook 
Pro,  you  may  be  running  Snow 
Leopard.  If  that  is  the  case,  you’ll 
want  to  download  the  latest  driv¬ 
ers  from  Triplite's  Web  site  instead 
of  using  the  drivers  that  come  on 
the  Keyspan  CD.  Next  the  applica¬ 
tion  to  use.  If  you  just  need  basic 
serial  console  access,  I  have  been 
most  impressed  with  CoolTerm. 
You  can  download  the  applica- 
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GADGETS 

GoFlex,  MyDitto 
offer  easy  NAS  setup 

Cool  Tools 


Keith  Shaw’s 


THE 

SCOOP 


GoFlex  Net 

by  Seagate,  $99.99  (with¬ 
out  drive;  GoFlex  drives 
sold  separately) 


►  What  it  is:  Part  of  Seagate’s  new  GoFlex 
line  of  products,  the  Net  is  a  network  storage 
device  that  replaces  the  company’s  DockStar 
unit.  The  Net  is  a  docking  cradle  that  sup¬ 
ports  connections  of  two  GoFlex  portable 
drives.  The  dock  plugs  into  an  open  router 
port.  Access  to  the  network  for  each  PC  is 
provided  through  the  Pogoplug  application, 
which  you  can  download  from  the  Pogoplug 
(and  Seagate)  Web  site.  You  can  also  access 
the  drive  from  any  Web  browser. 

►  Why  it's  cool:  The  portability  of  the 
GoFlex  drives  means  you  can  easily  take  the 
drive  out  of  the  Net  device  when  you  want  to 
go  on  the  road  with  your  files,  and  it  supports 
expandability  very  easily,  since  it  utilizes 
portable  external  drives  rather  than  tougher- 
to-install  hard  disk  drives.  A  Pogoplug 

app  supports  the  iPhone,  BlackBerry  and 
Android  devices,  letting  you  access  music 
and  photos  from  your  phone. 

The  GoFlex  system  lets  you  connect  USB 
3.0  or  FireWire  800  cables  for  faster  copying. 
This  means  you  can  put  all  your  files  on  the 
drive  quicker  than  transferring  to  a  bulkier 
network-attached  storage  (NAS)  via  Wi-Fi. 
You  can  expand  capac¬ 
ity  by  attaching 
other  USB  external 
drives  (even  ones 
not  from  Seagate). 

Social  site  support 
(Facebook,  Twitter, 

MySpace)  is  cool: 

You  can  share  pho¬ 
tos  directly  from  the 
drive  to  these  sites 
rather  than  upload¬ 
ing  them  to  the  site. 

On  Facebook,  for 

GoFlex  Net 
cradles  two 
GoFlex  drives 


example,  when  you  share  a  photo,  a  post  goes 
on  your  Wall  with  a  link  allowing  friends  to 
view  the  photo  from  your  drive. 

►  Some  caveats:  No  iTunes  streaming 
(boo!);  Social  network  connections  didn’t 
work  with  Google  Chrome  browser. 

►  Grade  ★★★★  (out  of  five). 


THE 

SCOOP 


MyDitto 
storage  server 

by  Dane-Elec,  about  $185 


►  What  it  is:  This  box  contains  two  slots  for 
a  hard  disk  drive,  and  connects  via  Ethernet 
cable  to  an  open  port  on  your  home  router. 
When  you  connect  to  the  router  and  power 
up  the  box,  it  becomes  a  NAS  drive  for  your 
network,  capable  of  storing  files.  The  drive 
can  also  act  as  a  streaming  media  player  for 
iTunes  or  any  other  UPnP  media  player/ 
device  on  the  network. 

►  Why  it’s  cool:  Client  access  to  the  MyDitto 
box  is  unique  —  instead  of  installing  an 
application  on  the  PC,  users  connect  a 
MyDitto  USB  key  to  their  PC,  which  loads 
up  the  application  that  shows  the  drive’s 
contents  (users  need  a  password  to  access 
the  drive).  When  the  USB  key  is  removed,  all 
traces  of  the  NAS  are  gone  (save  for  any  files 
that  the  user  copied  from  the  drive  to  the 

local  PC).  Not  only  is  it  easy  to  install  on 
each  PC  or  Mac,  but  the  USB  key  makes 
it  good  for  traveling,  when  you  want  to 
access  files  via  a  business  center  PC  or 
an  Internet  kiosk.  Multiple  USB  keys 
can  be  created  for  other  users  to  access 
the  drive  as  well,  and  if  you  lose  your 
USB  key,  you  can  reset  the  system  and 
create  new  authentication  keys. 

►  Some  caveats:  A  couple  of  bugs 
froze  the  app  when  trying  to  access  the 
drive  across  the  Internet;  iPhone  app 
can  only  view  photos. 

►  Grade 

Shaw  can  be  reached  at  kshaw@ 
nww.com. 


tion  from  http://freeware. 
the-meiers.org/.  Depending 
on  what  other  serial  devices 
you’ll  be  accessing,  you  may 
need  to  tweak  the  configura¬ 
tion  slightly.  You  also  have  the 
option  of  using  the  Console 
program  that  comes  with 
every  Mac.  Natively  it  doesn't 
know  how  to  access  the  USB 
adapter  you  will  be  using.  A 
little  searching  via  Google  or 
your  favorite  search  engine  will 
show  the  AppleScript  needed 
to  get  this  to  work.  I  have  tried 
this  but  haven’t  always  gotten 
the  results  I  was  expecting. 
This  same  apple  will  also  let 
you  telnet  or  SSH  to  any  of 
your  network  devices.  If  you 
are  familiar  with  SecureCRT 
or  a  similar  Windows  program, 
there  are  a  couple  of  options 
you  can  consider.  ZOC/Pro 
provided  a  tabbed  approach 
to  accessing  multiple  devices 
that  I  was  used  to  with  Secure¬ 
CRT.  Another  terminal  app  I 
found  for  the  Mac  is  MacWise. 
Like  ZOC  it  allows  you  to 
access  hosts  via  Serial,  Telnet 
or  SSH.  A  downside  was  when 
the  MacBook  went  into  "sleep" 
mode,  the  USB  converter 
didn’t  always  respond. 


►  Gearhead ,  from  page  26 
entry  with  your  finger  to  display  the 
related  content.  Dragging  up  and 
down  with  your  finger  scrolls  the 
content  —  completely  intuitive. 

Priced  at  just  $99  the  WikiReader 
can  be  updated,  at  no  charge,  by 
copying  the  latest  content  release 
to  the  micro  SD  card  or,  for  the  low 
price  of  just  $29,  you  can  receive  two 
updates  per  year  pre-loaded  onto 
micro  SD  cards. 

What  would  improve  the  Wiki 
Reader?  The  next  level  up  would  be 
graphics,  after  which  it  would  be  audio 
then  video ...  all  of  which  is  asking  for  a 
lot  of  additional  technology  that  would 
push  up  the  price  considerably. 

I  love  this  device  as  it  is  and  this 
is  what  I  want  in  my  rucksack  if  I’m 
ever  stuck  in  the  Kenyan  rain  forest 
with  a  primate  identification  prob¬ 
lem.  As  unlikely  as  that  may  be.  I’ll 
give  the  WikiReader  a  rating  of  4.5 


Gibbs  lives  near  the  desert  in 
Ventura,  Calif.  Send  your  jungle 
drums  to  gearhead@gibbs.com. 
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Cool  NAC  tools  deliver  endpoint  protection 

We  test  12  solid  products;  each  with  its  own  variation  on  a  theme 


BY  JOEL  SNYDER 

Despite  the  fact  that  network  access  control 
hasn’t  yet  lived  up  to  its  initial  promise,  NAC 
is  very  much  alive,  as  evidenced  by  the  fact 
that  12  vendors  participated  in  our  NAC 
test,  including  industry  leaders  Microsoft, 
HP,  Juniper,  McAfee,  Symantec  and  Alcatel- 
Lucent. 

We  tested  each  product  on  the  key  pieces 
of  any  full-strength  NAC  solution:  authenti¬ 
cation,  access  control  enforcement  and  end¬ 
point  security  posture  checking.  We  found 
12  great  products  that  were  so  different  in 
the  way  they  accomplished  NAC  that  it  was 
impossible  to  do  a  head-to-head  comparison. 

We  did  find  products  that  fell  into  similar 
buckets.  For  example,  if  you  were  thinking  of 
buying  ForeScout  CounterACT,  you  should 
also  be  looking  at  Trustwave  NAC.  If  you 
were  considering  Avenda  eTIPS,  you  defi¬ 
nitely  want  to  take  a  look  at  Juniper  UAC. 

Other  products  worked  best  if  you  already 
have  that  vendor’s  gear.  HP  ProCurve  Iden¬ 
tity  Driven  Manager  is  a  great  solution  —  but 
it  really  only  works  well  in  an  HP  environ¬ 
ment.  If  you  already  have  Symantec  Endpoint 
Protection  suite,  you’ll  find  its  NAC  solution  a 
fantastic  complement.  The  same  is  true  with 
McAfee. 

If  you’re  looking  for  products  not  tied  to 
specific  hardware,  the  list  includes  Avenda 
eTIPS,  Bradford  Network  Sentry,  ForeScout 


CounterACT,  Microsoft  NAP  and  Trustwave 
NAC. 

And  you  could  certainly  make  good  use 
of  Juniper  UAC  or  Enterasys  NAC  without 
any  Juniper  or  Enterasys  equipment  in  your 
network.  Even  Cisco’s  NAC  Appliance  and 
Alcatel-Lucent’s  Safe  NAC  could  work  with 
non-Cisco  and  non-Alcatel-Lucent  switches. 

We  don’t  have  a  final  answer  on  NAC.  The 
product  lines  are  growing  and  maturing,  and 
many  of  the  hard  parts  of  NAC  are  moving 
into  infrastructure,  including  switches,  rout¬ 
ers  and  user  operating  systems. 

But  you  will  always  need  other  pieces  to 
make  your  NAC  solution  complete  —  end¬ 
point  device  profiling,  policy  management 
systems,  and  captive  portals  are  all  impor¬ 
tant  parts  of  a  NAC  solution  that  you  won’t 
find  built  into  your  favorite  switch  or  operat¬ 
ing  system. 

To  help  you  determine  which  NAC  prod¬ 
uct  is  right  for  you,  we  sliced  and  diced  our 
test  results  two  ways  —  by  product  and  by 
feature.  In  this  report,  we  review  each  prod¬ 
uct,  describing  how  it  works  and  some  of 
the  key  pros  and  cons.  Go  online  (see  http:// 
tinyurl.com/2941sco)  to  learn  how  we  tested 
the  products,  and  for  our  test  results  broken 
out  by  specific  features.  Online,  we  also  dis¬ 
cuss  our  results  from  testing  the  management 
toolkit  of  each  product. 

And  although  we  don’t  have  a  traditional 
scorecard,  we  do  we  have  some  favorites. 


Because  we’re  looking  at  NAC  from  a  security 
point  of  view,  approaches  that  leverage  802.1X 
well  seem  like  good  solutions  to  us.  That  puts 
Avenda  eTIPS,  Enterasys  NAC  and  Juniper 
UAC  on  our  short  list.  HP  ProCurve  Identity 
Driven  Manager  is  in  the  same  category,  but 
will  really  only  be  interesting  to  HP  shops. 

Microsoft  NAP,  which  leverages  the  client 
built-in  to  Windows,  is  an  obvious  winner,  as 
is  any  solution  that  lets  us  build  on  what  we 
get  for  free  from  Microsoft. 

Some  products  seem  to  be  still  trying  to 
figure  out  what  they  want  to  be  and  how  they 
want  to  operate,  such  as  the  Alcatel-Lucent/ 
InfoExpress  alliance  and  Cisco  NAC  Appli¬ 
ance.  That  doesn’t  mean  they  don’t  work,  but 
you  should  be  prepared  for  change  if  you  go 
down  either  of  those  paths. 

Bradford  Network  Sentry,  the  grand  old 
man  of  the  NAC  business,  certainly  worked 
fine  in  our  testing,  but  at  a  level  of  complexity 
that  will  be  overkill  for  many  well-structured 
networks. 

Some  products  seem  like  they  need  a  bit  of 
time  to  settle  down  and  work  out  a  few  kinks, 
such  as  McAfee’s  N-450  NAC  Appliance.  We 
have  doubts  about  the  scalability  and  approach 
taken  in  ForeScout  CounterACT  and  Trust- 
wave  NAC.  These  products  might  be  better 
suited  to  branch  offices  and  small  networks. 

Here  are  the  product-by-product  results. 

(Notes  on  pricing:  Assumes  1,000  users  or 
end  devices.) 
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Alcatel-Lucent/InfoEx- 
press  combo  needs  better 
integration 

PRODUCT:  SafeNAC 

PRICING  (1,000  USERS):  Roughly 

$44,500 

STRENGTHS:  Strong  endpoint  security 
checking,  complete  NAC  solution. 
WEAKNESSES:  Confusing  array  of  configu¬ 
ration  and  management  options. 

Alcatel-Lucent  submitted  their 
OmniSwitch  switches,  OmniAccess  wireless 
controllers  and  Omni  Vista  management  tool, 
plus  InfoExpress’  CyberGatekeeper  endpoint 
security  system. 

Together,  the  two  vendors  offer  a  complete 
framework  and  a  wide  set  of  hardware 
options.  The  result  is  interoperable  parts 
that  network  managers  can  combine  to  give 
different  types  of  NAC  enforcement  in  dif¬ 
ferent  network  topologies. 

The  most  important  characteristic  of  the 
Alcatel-Lucent  NAC  strategy  is  a  heavy  focus 
on  endpoint  security  checks,  which  are  only 
loosely  coupled  to  optional  authentication 
and  group  information. 

However,  because  Alcatel-Lucent  and 
CyberGatekeeper  are  each  stand-alone  NAC 
products,  the  options  for  enforcement  and 
policy  creation  are  dizzying  and  confusing. 

CyberGatekeeper  can  be  installed  on  Win¬ 
dows  or  Mac  clients,  and  returns  a  “pass”  or 
“fail”  verdict  that  can  be  used  as  part  of  an 
access  control  decision. 

Alcatel-Lucent’s  Access  Guardian  man¬ 
agement  software  is  used  to  define  NAC 
policies,  which  are  then  pushed  out  to  Alcatel- 
Lucent  switches  that  enforce  access  controls. 
Although  Access  Guardian  supports  access 

control  lists  for 
enforcement, 
the  definition 
mechanism 
is  so  clumsy 


that  most  enterprises  will  probably  use  vir¬ 
tual  LAN-based  enforcement  mechanisms 
instead. 

Acknowledging  that  it  doesn’t  have  a  sig¬ 
nificant  percentage  of  the  network  switch 
market,  the  team  that  visited  our  lab  demon¬ 
strated  both  edge  enforcement  with  Alcatel- 
Lucent  gear,  as  well  as  an  Alcatel-Lucent 
switch  sitting  behind  our  existing  Cisco,  HP 
and  Juniper  switches,  providing  Layer  2  in¬ 
line  NAC  enforcement  at  the  network  core. 

The  components  offered  by  Alcatel-Lucent 
and  InfoExpress  do  check  most  of  the  boxes 
required  for  a  NAC  deployment.  However, 
these  pieces  form  more  of  a  do-it-yourself  kit 
than  an  integrated  NAC  product. 


their  802.1X  configurations. 

ETIPS  also  includes  the  ability  to  do  pos¬ 
ture  checking  by  actively  scanning  devices 
as  they  come  on  the  network,  or  by  inter¬ 
preting  posture  information  from  endpoint 
security  software.  ETIPS  supports  its  own 
system  health  agent,  Microsoft’s  NAP  agent, 
and  Cisco’s  CTA  agent.  It  also  includes  a  very 
full-featured  guest  login  and  registration 
portal  that  integrates  properly  with  network 
devices  —  an  unusual  feature. 

Avenda  even  has  a  dedicated  in-line  appli¬ 
ance,  called  Edge,  which  can  be  used  in  envi¬ 
ronments  such  as  simple  wireless  networks 
and  VPNs  where  traditional  802.1X-style 
authentication  might  not  fit  in. 


Avenda  offers  full- 
featured  NAC 

PRODUCT:  eTIPS  5005 

PRICING  (1,000  USERS):  $22,OOOto 
$40,000 

STRENGTHS:  Simplicity,  ease  of  use, 
well-balanced  NAC  features. 

WEAKNESSES:  Relies  on  802. IX  authentica¬ 
tion,  which  some  customers  may  be  wary  of. 

At  its  core,  Avenda’s  eTIPS  is  a  RADIUS 
server  specifically  designed  for  NAC  authen¬ 
tication  and  access  controls.  Avenda  gives 
authentication,  endpoint  security  checking 
and  policy  enforcement  equal  weight,  making 
eTIPS  a  very  well-balanced  NAC  product. 

Because  eTIPS  is  focused  on  NAC  func¬ 
tionality,  it’s  not  just  a  simple  RADIUS  server. 
Instead,  the  Avenda  team  has  added  a  ton  of 
features  specific  to  NAC  deployments. 

Although  eTIPS  takes  some  getting  used  to, 
the  Web-based  GUI  is  focused  on  NAC  tasks, 
making  it  relatively  easy  to  use  with  only  a 
couple  of  days  practice.  ETIPS  is  not  a 
simple  product,  but  it’s  about  as  simple 
as  it  can  be  and  still  covers  all  the  bases. 

Avenda  is  aware  of  the  fear 
factor  associated  with  802.1X, 
so  it  also  offers  a  cloud-based 
service  called  QuicklX  that  can 
be  used  to  automate  deploy¬ 
ment  of  802.1X  across  Win¬ 
dows,  Mac  and  iPhone  devices. 
With  QuicklX,  the  network 
manager  creates  a  deployment 
application  based  on  his  own 
network  and  relevant  oper¬ 
ating  system  settings,  then 
downloads  the  application  and 
distributes  it  to  users,  who  can 
use  it  to  quickly  and  reliably  set  up 


As  one  of  two  vendors  exclusively  focused 
on  NAC,  Avenda  has  done  a  great  job  of  bring¬ 
ing  a  policy  server  and  all  the  associated 
pieces  required  to  successfully  deploy  NAC 
in  a  typical  enterprise  network. 


Bradford  best  for  complex, 
multi-vendor  sites 

PRODUCT:  Network  Sentry 
PRICING  (1,000  USERS):  $32,460 
STRENGTHS:  Excellent  for  complex,  multi¬ 
vendor  environments,  such  as  a  college 
campus. 

WEAKNESSES:  Complex,  difficult  to  install. 

With  over  a  decade  of  experience  doing 
nothing  but  NAC,  Bradford  brings  an 
immense  amount  of  corporate  knowledge 
to  the  NAC  marketplace.  As  the  dominant 
supplier  of  campus-wide  NAC  to  the  educa¬ 
tion  market,  Bradford’s  approach  has  strong 
supporters  in  environments  where  heteroge¬ 
neous  device  deployment  (two  dozen  wired 
and  wireless  device  vendor  product  lines  are 
supported)  and  hostile  users  are  the  norm. 

Network  Sentry  has  several  deployment 
models,  but  the  most  common  is  based  on 
edge  device  enforcement  of  access  controls, 
typically  using  VLANs.  Using  a  combination 
of  SNMP  and  command-line  interface.  Net¬ 
work  Sentry  detects  devices  coming  onto  the 
network  and  then  walks  each  device  through 
registration,  authentication  and  compliance 
checking,  before  finally  pushing  a  configura¬ 
tion  that  lets  the  device  onto  the  network.  Net¬ 
work  Sentry  also  supports  802.1X  authenti¬ 
cation,  but  did  not  encourage  its  use. 

The  Network  Sentry  family  also  includes 
endpoint  security  checking  via  either  an  on- 
network  scanner  (built-in  support  is  included 
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for  Nessus)  or  the  Bradford  client  on  Win¬ 
dows,  Mac  OS  X  and  Linux.  A  guest  registra¬ 
tion  and  login  portal  is  available  as  an  option, 
as  is  a  network  scanner,  which  can  be  used  to 
discover  device  types  and  build  a  database  of 
devices  on  the  network. 

Unfortunately  the  product  has  grown  over 
the  years  with  patches,  plug-ins  and  an  enor¬ 
mous  number  of  add-ins  to  support  the  unique 
requirements  of  its  huge  customer  base. 

We  found  it  hard  to  understand,  poorly  doc¬ 
umented,  difficult  to  manage,  inconsistent  in 
its  behavior  and  with  no  clear  way  for  some¬ 
one  to  deploy  the  product  without  consider¬ 
able  third-party  help. 


©  Go  online  as  Joel  Snyder 
analyzes  12  NAC  products  feature 
by  feature,  including  authentica¬ 
tion,  endpoint  security  checking, 
access  control  and  management. 
Also  see  how  he  tested  these  NAC 
products.  Plus  go  online  for  a 
slideshow  distilling  the  compre¬ 
hensive  testing  results  in  quick 
thumbnails,  tinyurl.com/294lsco 


Cisco  NAC:  Strong 
in-line  enforcement 

PRODUCT:  NAC  Appliance 
PRICING  (1,000  USERS):  $36,000 
STRENGTHS:  Powerful  NAC  for  wireless  and 
VPN  environments. 

W  E  A K  N  E S  S  E S :  Limited  tools  for  fine-grained 
access  control. 

The  two  components  of  Cisco  NAC  Appli¬ 
ance  are  the  NAC  Manager,  which  controls 
policy,  and  the  NAC  Server,  which  responds 
to  user  traffic  and  enforces  policy. 

NAC  Appliance  can  act  either  as  a  purely 
in-line  or  as  an  edge-enforcing  NAC  solution. 
Each  NAC  Server  only  operates  in  one  of  those 
two  modes.  When  in-line,  the  NAC  Appliance 
filters  user  traffic,  applies  access  control  poli¬ 
cies,  and  checks  endpoint  security  status.  In¬ 
line  mode  is  recommended  by  Cisco  for  wire¬ 
less  and  VPN  environments. 

When  the  NAC  Server  is  put  into  edge- 
enforcing  mode,  it  uses  SNMP  to  manage 
VLANs  on  Cisco  switches.  Before  a  device  is 
posture-checked  and  authenticated,  the  NAC 
Server  can  put  itself  in-line  and  present  a  cap¬ 
tive  portal  for  authentication  and  to  push  the 
Clean  Access  Agent  (an  endpoint  security 
checking  tool)  to  Windows  and  Mac  OS  X 
clients. 

Once  authentication  and  posture  checking 
are  complete,  the  NAC  Server  sends  SNMP 
configuration  commands  to  the  edge  switch 
to  enforce  access  controls  by  moving  the  user 
to  an  appropriate  VLAN. 

NAC  Servers  also  support  less  intrusive 
authentication  and  posture  checking  options, 
using  authentication  information  captured 
from  network  traffic  and  using  a  persistent 
endpoint  security  agent. 

NAC  Appliance  is  mostly  focused  on 
authentication 


and  endpoint  security  checking:  the  tools  for 
defining  network  access  controls,  especially 
when  edge  enforcement  is  being  used,  are 
very  limited  in  scope.  Some  common  features 
of  NAC  products,  such  as  direct  support  for 
MAC-based  authentication  for  VoIP  devices 
or  printers,  are  not  built  into  the  NAC  Appli¬ 
ance.  Instead,  Cisco  expects  that  you  will  use 
features  built-in  to  its  switches. 

However,  Cisco  does  sell  its  NAC  Profiler, 
an  OEM  version  of  Great  Bay  Software’s  Bea¬ 
con  product  line,  which  integrates  tightly  into 
the  NAC  Appliance,  and  helps  to  build  excep¬ 
tion  lists  for  devices  (such  as  VoIP  phones  or 
printers)  to  simplify  NAC  rollout. 

Cisco  also  offers  a  packaging  of  the  NAC 
Appliance  Server  in  a  small  Network  Module 
that  can  be  placed  in  its  ISR  branch  router 
product  line. 

This  makes  deployment  based  on  the  NAC 
Appliance  easy  in  environments  where  an 
extra  server  is  a  big  deal.  While  Cisco’s  over¬ 
all  NAC  strategy  is  in  flux,  a  NAC  Appliance 
investment  is  likely  to  come  with  substantial 
purchase  protection. 


Enterasys  NAC: 

Put  it  on  your  short  list 

PRODUCT:  NAC  v3.2 
PRICING  (1,000  USERS):  $30,000 
STRENGTHS:  Ease  of  use,  well  thought  out, 
strong  feature  set. 

WEAKNESSES:Minor  management  flaws. 

The  Enterasys  NAC  solution  is  a  combi¬ 
nation  of  hardware  and  software  that  pro¬ 
vides  NAC  services  in  both  Enterasys  and 
non-Enterasys  networks.  Enterasys  NAC 
starts  with  a  NAC  Manager,  a  management 
system  built  on  top  of  the  Enterasys  NetSight 
Manager  platform.  NAC  Manager  is  used  to 
control  NAC  Appliances,  which  themselves 

come  in  two  types: 
NAC  Controller 
appliances,  which 
are  in-line  NAC 


enforcement  devices,  and  NAC  Gateway 
appliances,  which  are  essentially  RADIUS 
servers  with  very  NAC-specific  feature  sets. 

We  tested  Enterasys  NAC  in  its  edge- 
enforcement  mode,  using  a  single  NAC  Man¬ 
ager  and  single  NAC  Gateway  to  control  our 
Cisco,  HP  and  Juniper  switches.  Enterasys 
also  sent  us  one  of  its  switches,  which  we 
threw  into  the  mix.  Our  testing  focused  on 
802.1X-type  NAC  deployments,  and  the 
Enterasys  NAC  was  both  easy  to  deploy  and 
performed  well. 

As  we  expected  with  any  mature  NAC  prod¬ 
uct,  we  found  our  fair  share  of  ambiguities 
and  design  flaws  in  the  management  system. 
Still,  the  NAC  Manager  ended  up  being  fairly 
easy  to  use. 

Enterasys  has  a  broad  product  line,  includ¬ 
ing  captive  portal  functionality,  guest 
registration  and  the  ability  to  accept 
external  security  inputs  to  mix  into 
the  NAC  decision-making  process. 

We  also  found  some  particu¬ 
larly  elegant  thinking  in 
the  Enterasys  NAC 
product.  For  example, 

Enterasys  NAC  uses 
DiffServ  packet  tagging  and  policy-based 
routing  to  force  unauthenticated  users  to 
its  captive  portal,  a  very  clever  solution  that 
avoids  the  problems  associated  with  chang¬ 
ing  user  VLANs  on  the  fly. 

Obviously,  Enterasys  NAC  works  best  with 
their  own  switches.  But  we  were  able  to  push 
both  VLAN  and  access  control  lists  to  all  of 
the  non-Enterasys  switches  in  our  network 
very  easily. 

Enterasys  NAC  also  includes  the  usual 
endpoint  security  checking  features.  Both  an 
on-network  scan  using  Saint  Corporation’s 
network  scanner,  and  an  on-device  scan  using 
the  Enterasys  agent,  are  supported. 

Enterasys  has  done  a  good  job  making 
sure  that  its  NAC  product  works  very  well  in 
non-Enterasys  networks.  Because  Enterasys 
NAC  has  both  in-line  and  edge-enforcement 
technologies  in  a  single  product  line,  we 
think  that  this  is  a  definite  short-list  for  any 
802.1X-based  NAC  deployment. 


ForeScout  focuses  on 
network  visibility 

PRODUCT:  Cou nter ACT  Appliance  v6.3.3 
PRICING  (1,000  USERS):  $28,995 
STRENGTHS:  Endpoint-centric,  provides 
excellent  network  visibility. 

WEAKNESSES:  Scalability  concerns,  weak 
authentication. 

ForeScout’s  CounterACT  has  a  very  differ¬ 
ent  take  on  NAC;  the  closest  competitor  is  really 
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Trustwave.  In  CounterACT’s  framework,  the 
appliance  scans  network  traffic  to  classify 
devices  as  they  join  the  network. 

And,  if  possible,  Counter  ACT  logs  onto  the 
device  remotely  to  run  a  detailed  endpoint 
security  check.  This  can  be  done  with  or  with¬ 
out  an  installed  client.  As  CounterACT  learns 
about  devices,  it  classifies  them  into  groups, 
and  then  evaluates  rules  on  those  groups. 

If  a  device  in  a  group  does  not  match  the 
rules  for  that  group,  then  CounterACT  can 
take  action.  CounterACT  also  includes  a  guest 
portal  capability.  When  rules  require  that  a 
user  be  redirected,  the  CounterACT  system 
will  send  out  TCP  reset  packets  and  attempt 
a  “man-in-the-middle”  redirect. 

In  our  small  test  network,  CounterACT 
worked  pretty  well.  Because  it  does  not  nor¬ 
mally  use  standards  such  as  802.1X,  it  has  to 
be  very  intelligent  about  every  device  on  the 
network,  which  is  a  touchy  issue.  For  exam¬ 
ple,  when  we  tested  with  our  Aruba  wireless 
controller,  which  was  supposed  to  be  sup¬ 
ported,  ForeScout  had  to  get  its  development 
team  involved  to  make  things  work,  since 
the  latest  version  of  Aruba’s  software  wasn’t 
compatible  with  the  CounterACT  software 
out-of-the-box. 

In  terms  of  network  visibility,  CounterACT 
was  certainly  the  most  sophisticated  product 
in  this  test.  CounterACT’s  unusual  NAC  strat¬ 
egy  has  other  benefits.  For  example,  if  some¬ 
one  is  classified  into  a  particular  group,  Coun¬ 
terACT  can  take  an  action  to  send  an  e-mail 
to  the  user  on  that  device,  or  perhaps  to  kill  a 
running  IM  or  peer-to-peer  application. 

The  flip  side  of  CounterACT’s  device-cen¬ 
tric  approach  is  that  the  product  is  not  very 
interested  in  authentication  information.  It 
can  detect  authentication,  for  example,  by 
sniffing  Active  Directory,  but  authentication 
information  is  really  secondary.  If  you  are 
looking  at  NAC  to  enforce  different  access 
controls  for  different  types  of  users,  you  won’t 
find  CounterACT  a  very  good  fit. 

One  of  the  biggest  concerns  we  had  in  test¬ 
ing  CounterACT  is  scalability.  Since  the  appli¬ 
ances  have  to  watch  all  network  traffic  (or  at 
least  a  good  portion  of  it)  to  detect  and  classify 
devices,  this  means  that  you  have  to  find  good 
places  in  the  network  where  mirroring  is  both 
possible  and  at  the  right  speed.  In  large  net¬ 
works,  particularly  very  distributed  ones  with 
a  high  level  of  redundancy,  this  can  be  difficult 
or  costly,  requiring  many  appliances.  In  addi¬ 
tion,  CounterACT  does  much  of  its  magic  by 
connecting  to  network  devices  and  reconfigur¬ 
ing  them  on  the  fly,  something  many  network 
managers  will  find  uncomfortable. 

CounterACT’s  guest  portal  functionality  is 
quite  sophisticated;  what  other  vendors  are 


charging  $10,000  or  more  for  is  included 
as  part  of  the  basic  product.  The  only  dan¬ 
gerous  thing  about  the  guest  portal  is  that 
it  requires  the  CounterACT  appliance  to  be 
able  to  inject  traffic  into  the  network  to  man- 
in-the-middle  redirect.  If  you  have  firewalls 
scattered  throughout  your  network,  you’re 
not  going  to  find  CounterACT  very  effective 
in  this  task. 

HP  NAC  works  best 
in  HP  shops 

PRODUCT:  ProCurve  Identity  Driven 
Manager  (v3.01) 

PRICING  (1,000  USERS):  $10,000 
STRENGTHS:  Cost-effective,  strong  man¬ 
agement  features,  strong  access  controls . 
WEAKNESSES:  Endpoint  security  checking, 
reliance  on  HP  switches. 

HP’s  Identity  Driven  Manager  is  an 
802.1X-based  NAC  solution  optimized  to 
work  with  HP  and  Cisco  switching  infra¬ 
structures.  HP  starts  with  its  ProCurve  Man¬ 
ager  Plus  software,  a  management  platform 
for  HP  switches,  and  adds  in  the  Identity 
Driven  Manager  as  a  layer  within  ProCurve 
Manager  Plus. 

In  a  departure  from  most  NAC  solutions, 
ProCurve’s  RADIUS  server  isn’t  a  server  at  all, 
but  a  plug-in  that  integrates  directly  to  Win¬ 
dows’  Network  Policy  Server  and  FreeRA- 
DIUS  on  Linux,  as  well  as  HP’s  own  RADIUS 
appliance. 

Because  Identity  Driven  Manager  is  inte¬ 
grated  into  HP’s  network  management  tools, 
it  brings  a  great  deal  of  visibility  to  the  whole 
NAC  infrastructure,  collecting  logon  and 
logoff  information  from  switches,  and  main¬ 
taining  profiles  and  history  information  on 
every  user. 

Identity  Driven  Manager  works  most  natu¬ 
rally  with  Windows  Active  Directory,  and  has 
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HP’s  NAC  solution  depends 
heavily  on  HP  switches. 


a  plug-in  that  handles  directory  synchroniza¬ 
tion  between  Active  Directory  and  Identity 
Driven  Manager. 

To  leverage  HP’s  built-in  security  capabili¬ 
ties,  Identity  Driven  Manager  lets  you  define 
network  access  profiles  for  each  user  or  Active 
Directory  group.  These  can  provide  standard 
VLAN  assignment,  but  also  QoS  profiles,  rate 
limiting  and  access  control  lists. 

The  sophistication  of  Identity  Driven  Man¬ 
ager’s  access  control  rules  (and  the  simplicity 
of  building  ACLs)  makes  it  one  of  the  stron¬ 
gest  solutions  for  a  NAC  deployment  focusing 
on  fine-grained  access  controls. 

Identity  Driven  Manager  is  especially 
well  named,  because  it  really  focuses  on 
identity  and  gives  very  little  thought  to  end¬ 
point  security  checking.  HP  doesn’t  actually 
include  an  endpoint  security  checker,  but  it 
does  integrate  fully  with  Microsoft’s  NAP 
client,  as  well  as  with  third-party  endpoint 
security  checkers. 

HP’s  Identity  Driven  Manager  depends 
heavily  on  HP  switches  for  some  NAC  fea¬ 
tures  that  might  have  been  included,  such  as 
a  captive  portal  for  guests  who  do  not  authen¬ 
ticate  with  802.1X. 

There  is  also  no  real  support  for  MAC- 
based  authentication  (for  VoIP  phones  and 
printers),  creating  a  requirement  for  the  net¬ 
work  manager  to  manually  separate  out  these 
devices  from  the  NAC  solution. 

HP’s  NAC  will  be  most  attractive  to  existing 
HP  switch  customers.  One  of  the  advantages 
of  Identity  Driven  Manager,  though,  is  that  it 
is  simple  both  in  concept  and  in  management. 
Rather  than  depending  heavily  on  magical 
back-door  configuration  of  devices,  Identity 
Driven  Manager  offers  a  simple  802.1X-based 
NAC  solution  that  marries  authentica¬ 
tion,  some  endpoint  security  features  and 
strong  access  controls  in  a  very  cost-effective 
package. 

Juniper  NAC:  Powerful, 
complex 

PRODUCT:  Unified  Access  Control  (UAC) 
v3.1 

PRICING  (1,000  USERS):  $42,400 
STRENGTHS:  Many  deployment  options; 
integration  with  SSL-VPN,  powerful  feature 
set. 

WEAKNESSES:Complexity,  works  best  in 
Juniper-based  network. 

Trying  to  describe  Juniper’s  UAC  is  dif¬ 
ficult,  because  Juniper’s  NAC  strategy  has 
its  tendrils  in  virtually  every  security  prod¬ 
uct  the  company  makes,  from  firewalls  to 
switches  to  SSL  VPNs. 

Juniper  UAC  centers  around  its  Infranet 


32  JUNE  21, 2010  www.networkworld.com 


Allow  Remediation  bv  All 
Restria  Access  to  Man;  WANs 

Restrict  Access  to  CustX  Svrs 

Restrict  Access  to  CustY  Svrs 

Deny  Other  Access  to  Customer 

Nets 

Deny  Guest  Access  to  Private  Nets 


Allow  2.1.1.0/24:* 

Allow  2.2.2.0/24:* 

Deny  2.1.1.1/24:* 
2.2.2.1/24:’ 

Deny  10.0.2.0/24:* 
10.0.3.0/24:* 
10.0.4.0/24:* 


Applies  to  role 
All  roles 
NetAdminRole 

CustXRole 
CustYRole 
All  roles 


CustXRole 

CustYRole 

GuestPCRole 


Controller,  a  hardware  appliance  that 
serves  as  a  RADIUS  proxy  and  server, 
an  endpoint  security  checker  and  an 
access  control  policy  manager.  Once 
you’ve  put  in  the  appropriately  sized 
Infranet  Controller,  though,  Juniper 
stuns  you  with  piles  of  options  and 
flexibility.  Since  NAC  usually  starts 
with  authentication  of  some  sort, 
Infranet  Controller  supports  three  dif¬ 
ferent  models:  802.1X  or  MAC-based 
authentication  at  the  edge  device;  a 
captive  portal  for  guest  or  staff  authentica¬ 
tion;  and  authentication  using  the  UAC  cli¬ 
ent.  One  nice  feature  of  UAC  is  the  ability  to 
mix  and  match  all  three,  although  doing  so 
will  likely  make  an  unmanageably  complex 
configuration. 

Authentication  can  be  mixed  with  endpoint 
security  checks,  using  either  the  UAC  client 
for  Mac  and  Windows,  or  Microsoft’s  NAP 
client.  UAC  builds  on  Juniper’s  existing  SSL 
VPN  endpoint  security  base,  so  both  installed 
clients  and  Web-based  clients  are  supported 
for  endpoint  security  checks. 

Once  users  have  passed  authentication 
and  endpoint  security,  access  controls  can 
be  applied.  Because  Juniper  encourages  you 
to  use  802.1X,  it  is  able  to  push  access  control 
information  down  to  switches  at  the  edge. 
But  Juniper  has  added  hooks  into  its  own 
ScreenOS  and  JunOS  operating  systems  so 
that  UAC  can  simultaneously  push  access 
controls  into  in-line  devices  including  fire¬ 
walls  and  many  of  its  routing  platforms. 

One  of  the  nice  things  about  this  approach 
is  that  you  get  many  of  the  benefits  of  an  in¬ 
line  enforcement  without  the  performance 
problems.  UAC  is  also  agnostic  about  the 
location  of  enforcement:  you  can  use  802.1X 
controls,  in-line  controls,  or  both. 

Finally  UAC  can  also  push  host-based 
access  controls  into  network  devices  that  are 
using  the  UAC  client  software. 

Juniper’s  endpoint  security  checking 
doesn’t  end  at  the  moment  of  authentication. 
Both  continuous  endpoint  checking  and  exter¬ 
nal  links  to  intrusion  detection-/prevention- 
systems  are  supported. 

UAC  is  the  only  product  we  tested  that  fully 
integrates  a  NAC  product  line  with  an  SSL 
VPN  product  line  —  although  the  mechanism 
is  fairly  complex.  Unfortunately,  SSL  VPNs 
don’t  inherently  mix  well  with  the  mecha¬ 
nisms  that  vendors  have  chosen  for  NAC,  so 
putting  NAC  and  SSL  VPN  together  seems  to 
imply  a  single-vendor  solution. 

All  of  this  adds  up  to  a  difficult-to-master 
system.  To  Juniper’s  credit,  though,  I  spent 
less  time  debugging  problems  with  UAC  than 
all  the  other  NAC  devices  because  by  the  time 


I  figured  out  how  to  configure  it,  things  just 
worked. 

One  big  reason  for  this  is  because  Juniper 
now  includes  a  “Base  Case”  pre-configuration 
that  pre-populates  and  documents  UAC  with 
common  deployment  strategies.  Without  it, 
no  mortal  would  be  able  to  figure  out  how  to 
glue  all  the  pieces  of  UAC  together. 

UAC  isn’t  just  for  Juniper  customers;  you 
could  use  UAC  to  apply  sophisticated  NAC 
to  a  heterogeneous  network  of  managed  and 
unmanaged  switches.  It’s  a  solid,  if  complex, 
product.  However,  UAC  is  best  distinguished 
from  the  pack  when  Juniper’s  own  enforce¬ 
ment  devices  are  added  to  the  network.  In 
that  case,  UAC  is  a  top  contender  for  securing 
networks  and  endpoints  with  NAC. 

McAfee  NAC  focuses  on 
endpoint  protection 

PRODUCT:  ePolicy  Orchestrator  4.5,  McAfee 
Network  Security  Manager  v6,  and  the 
N-450  NAC  Appliance 
PRICING  (1,000  USERS):  $26,200 
STRENGTHS:  Strong  endpoint  security, 
tight  product  integration. 

WEAKNESSES:  Fine-grained  access  control. 

McAfee’s  NAC  strategy  rests  on  two 
separate,  but  tightly  integrated  products. 

The  first  is  ePolicy  Orchestrator,  which  is 
McAfee’s  endpoint  security  client  manage¬ 
ment  system. 

EPolicy  Orchestrator  can  report  the  results 
of  endpoint  security  policies  back  to  the  other 
half  of  McAfee’s  NAC  product  line.  That’s  the 
N-450  NAC  Appliance  and  McAfee’s  Net¬ 
work  Security  Manager.  When  a  device  run¬ 
ning  McAfee’s  endpoint  security  comes  on 
the  network,  the  N-450  acts  to  enforce  access 
control  policies  and  endpoint  security  poli¬ 
cies  for  that  client. 

The  NAC  Appliance  and  Network  Security 
Manager  can  enforce  NAC  policies  via  full  in¬ 
line  enforcement,  DHCP-based  enforcement 
or  VLANs  enforced  at  the  edge  of  the  network, 
which  we  focused  on. 

In  edge  enforcement,  the  NAC  Appliance 
starts  in-line  between  the  user  device  and  the 


rest  of  the  network.  The  user  authenti¬ 
cates  to  the  network  using  their  Win¬ 
dows  login,  switch-based  802.1X,  or  a 
captive  portal  provided  by  McAfee. 

If  the  end  device  is  running  the  McA¬ 
fee  client,  and  if  the  user  is  compliant 
with  the  endpoint  security  policy,  then 
the  NAC  Appliance  gets  “out  of  the 
way.” 

You  can  choose  to  leave  the  NAC 
Appliance  in-line  for  some  users  and 
apply  more  sophisticated  access  con¬ 
trols  for  end  users  such  as  guests  who  may 
need  more  watching. 

In  our  tests,  we  found  McAfee  NAC  at  a 
crossroads.  While  the  ePolicy  Orchestrator 
is  solid  and  well  tested,  the  NAC  Appliance 
and  Network  Security  Manager  is  a  fusion 
of  McAfee  thinking  on  NAC  combined  with 
technology  McAfee  acquired  from  Lockdown 
Networks. 

This  left  a  few  bumpy  spots  in  the  road 
when  it  came  to  enforcement.  Lockdown  was 
notorious  for  its  feature-creep  and  it’s  going  to 
take  McAfee  some  time  to  get  its  head  around 
all  of  the  capabilities  inherited. 

With  VLAN  switching  as  the  primary 
enforcement  mechanism,  McAfee  NAC  is 
clearly  slanted  towards  endpoint  security 
and  compliance  requirements  more  than 
fine-grained  network  access  controls.  Because 
McAfee  NAC  depends  heavily  on  ePolicy 
Orchestrator,  existing  McAfee  endpoint  secu¬ 
rity  customers  will  find  that  adding  McAfee’s 
NAC  to  their  networks  is  a  very  natural  and 
easy  extension. 

Microsoft  offers  free,  basic 
NAC  for  Windows-only  shops 

PRODUCT:  Network  Access  Protection 
(NAP),  including  the  NAP  client  and  Net¬ 
work  Policy  Server  (NPS) 

PRICING  (1,000  USERS):  NAPclientis 
included  with  all  versions  of  Windows;  NPS 
is  included  with  Windows  2008  server 
STRENGTHS:  Free  to  Windows  shops,  built 
into  products  most  enterprises  already  have. 
WEAKNESSES:  Windows-only,  features  are 
relatively  primitive . 

Network  Access  Protection  (NAP)  is  the 
term  Microsoft  uses  for  a  suite  of  enforcement 
mechanisms  closely  tied  to  endpoint  security 
compliance. 

NAP  is  based  on  a  Windows-only  client 
that  combines  endpoint  security  checking 
with  optional  authentication.  Out-of-the-box, 
the  Microsoft  NAP  client  uses  Windows  Secu¬ 
rity  Center  for  its  health  check,  giving  a  fairly 
basic  set  of  endpoint  security  checks  —  antivi¬ 
rus,  antispyware,  firewall,  automatic  patching. 
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However,  the  NAP  client’s  health  check  can  be 
swapped  for  any  third-party  health  checker 
that  is  NAP  compatible. 

Microsoft  NAP  will  work  best  in  an  all- 
Microsoft  operating  system  environment 
where  all  devices  are  joined  to  a  Windows 
domain.  In  those  situations,  the  management 
of  the  NAP  client  can  be  handled  through 
normal  domain  configuration  tools.  With¬ 
out  the  convenience  of  domain  configuration, 
setting  up  Microsoft  NAP  can  be  complicated, 
although  there  are  third-party  vendors,  such 
as  Cloudpath  Networks,  that  have  worked  to 
make  this  simpler. 

Even  with  this  additional  help,  though, 
there’s  no  real  support  for  tools  such  as  cap¬ 
tive  portals,  guest  management  and  MAC- 
based  authentication  within  NAP. 

Network  Policy  Server  (NPS)  is  a  RADIUS 
server,  which  gives  NAP  the  ability  to  operate 
in  an  802.1X  environment  with  network  edge 
enforcement.  Although  NPS  does  have  generic 
RADIUS  capabilities  to  deliver  VLAN  and 
ACL  information  to  switches  in  an  802.1X  sce¬ 
nario,  the  facilities  to  manage  these  settings  in 
NPS  are  fairly  primitive,  which  makes  it  really 
only  suitable  for  VLAN  assignment  as  an 
access  control  enforcement  technique. 

However,  NAP  and  NPS  can  enforce  access 
controls  through  other  mechanisms.  DHCP- 
based  enforcement  (assuming  you  are  using 
Microsoft’s  DHCP  server)  is  still  available. 
Microsoft’s  own  VPN  server  (Routing  and 
Remote  Access  Server)  is  also  tied  to  NAP,  so 
users  connecting  through  RRAS  can  have  dif¬ 
ferentiated  access  based  on  the  state  of  their 
endpoint  security  at  connection  time. 

And,  in  a  pure  Windows  environment  on  a 
LAN  with  everyone  playing  by  the  same  rule 
book,  you  can  use  IPsec. 

Microsoft’s  NAP  is  certainly  not  the  most 
functional  NAC  solution  we  tested,  but  it 
has  a  huge  advantage  over  every  other  solu¬ 
tion:  it’s  built-in  to  Windows.  Savvy  network 
managers  will  look  for  ways  to  work  around 
NAP’s  weaker  spots,  while  taking  advantage 
of  the  strong  parts  of  the  architecture,  such  as 
the  built-in  client  and  easy  integration  with 
Windows. 

Symantec  NAC:  Easy  to 
install,  strong  on  endpoint 
compliance 

PRODUCT:  Symantec  Network  Access 
Control  vll  (including  Symantec  Endpoint 
Protection  vll) 

PRICING  (1,000  USERS):  $14,449to 
$48,449 

STRENGTHS:  Endpoint  compliance. 

ease  of  use. 


WEAKNESSES:  Authentication,  fine¬ 
grained  access  control. 

Symantec  NAC  is  all  about  compliance: 
ensuring  that  devices  on  your  network  prop¬ 
erly  comply  with  the  endpoint  security  policy 
you  set  in  your  Symantec  Endpoint  Protection 
console.  Symantec  NAC  isn’t  about  authenti¬ 
cation  or  access  controls  beyond  basic  VLAN 
switching.  If  endpoint  security  compliance  is 
what  you  want,  and  if  you’re  already  a  Syman¬ 
tec  shop,  then  this  is  a  great  product  for  you. 

Symantec  NAC  includes  its  standard  end¬ 
point  protection  suite  for  desktops,  and  one  or 
more  appliances  that  act  as  enforcers  for  NAC 
policy.  When  you  first  configure  an  enforcer 
appliance,  you  tell  it  whether  to  be  an  802.1X 
enforcer,  a  DHCP  enforcer,  or  an  in-line  gate¬ 
way  enforcer  that  applies  packet  filters  to  the 
traffic  flowing  through  it. 

The  strong  point  of  the  Symantec  NAC 
product  is  endpoint  security,  but  there  are 
other  features,  such  as  a  simple  guest  por¬ 
tal  (if  you  have  a  gateway  enforcer)  with  on- 
demand  endpoint  security  scans,  which  also 
includes  support  for  MAC-based  authentica¬ 
tion  (for  VoIP  phones  and  printers). 

Symantec  NAC  includes  support  for 
VLAN  assignment  in  Cisco  wired  and  wire¬ 
less  switches,  Alcatel-Lucent,  Foundry,  HP, 
Nortel  and  Extreme  switches,  as  well  as  Airo- 
net  wireless  controllers. 

We  found  Symantec  NAC  easy  to  install 
and  manage.  If  you  have  Symantec  Endpoint 
Protection  installed,  and  if  endpoint  security 
compliance  is  your  main  reason  for  investi¬ 
gating  NAC,  then  you’ll  find  Symantec  NAC 
an  inexpensive  way  to  add  NAC. 

Trustwave  NAC : 

Deployment  is  a  snap 

PRODUCT:  NAC  v3.4 
PRICING  (1,000  USERS):  $30,000 
STRENGTHS:  Easy  to  deploy,  doesn’t 
require  network  changes. 

WEAKNESSES:  Reactive,  best  suited  for 
small  offices,  branches. 

Trustwave  NAC  is 
the  ultimate  “zero  touch” 

NAC  product.  It  doesn’t 
need  to  know  anything 
about  your  infrastruc¬ 
ture;  it  doesn’t  require 
that  you  implement 
802. IX.  To  use  Trust- 
wave  NAC,  you  put  it 
in  a  position  to  monitor 
traffic  on  each  of  your 
network  segments.  Then, 
to  enforce  access  con¬ 
trols,  Trustwave  NAC 


injects  packets  into  the  network,  which  cause 
it  to  become  a  “man-in-the-middle,”  present¬ 
ing  a  captive  portal  and  providing  endpoint 
security  scanning  software.  When  a  work¬ 
station  has  passed  both  authentication  and 
endpoint  security  requirements,  Trustwave 
NAC  releases  its  hold  on  the  device  and  traffic 
flows  normally. 

Although  the  documentation  on  Trustwave 
NAC  can  best  be  described  as  “dismal  to  awful,” 
the  product  is  fairly  easy  to  understand  and  to 
configure.  For  example,  if  your  NAC  policy 
says  that  someone  must  not  be  running  an 
FTP  server,  then  the  Trustwave  NAC  appli¬ 
ance  port  scanner  will  look  for  FTP  servers.  If 
you  don’t  have  FTP  servers  in  your  policy,  then 
they  won’t  bother  to  look  for  them. 

Normally,  LAN  users  authenticate  indi¬ 
rectly  into  Trustwave  NAC.  If  you  have  802.1X, 
or  if  users  log  in  via  Active  Directory,  then 
Trustwave  NAC  can  detect  this  and  will  assign 
credentials  to  the  device.  For  guest  users  who 
do  not  log  into  a  domain  or  use  802.1X,  Trust- 
wave  NAC  will  redirect  the  user  to  a  captive 
portal  which  can  be  used  for  both  authentica¬ 
tion  and  endpoint  security  checking. 

Trustwave  NAC  tries  to  be  as  unobtrusive 
as  possible.  A  combination  of  network  moni¬ 
toring  and  active  network-based  scanning 
are  used  to  detect  the  status  and  state  of  each 
device  on  the  network. 

This  makes  it  more  of  a  reactive  product 
than  a  proactive  product,  in  the  sense  that  it 
will  detect  bad  behavior  when  it  occurs  but  not 
necessarily  help  in  managing  compliance. 

Trustwave  NAC  does  not  require  active 
changes  to  the  network,  a  huge  benefit.  While 
this  comes  with  some  restrictions,  such  as  a 
weaker  endpoint  security  host  checking  model, 
it  also  will  be  attractive  to  many  network  man¬ 
agers,  especially  in  smaller  sites,  where  net¬ 
work  changes  are  difficult. 

However,  Trustwave  NAC’s  strategy  of 
tricking  the  network  by  poisoning  ARP 
caches  and  injecting  TCP  packets  might  send 
chills  down  the  spine  of  a  network  manager. 
When  you  can’t  trust  basic  troubleshooting 
tools  such  as  Ping  and  Traceroute 
or  the  predictability  of  the  TCP 
state  machine,  you’re  opening  up 
the  potential  for  small  network 
problems  to  become  un-debug- 
gable  nightmares.  On  the  other 
hand,  for  small,  well-behaved  net¬ 
works  such  as  at  branch  offices, 
this  concern  might  be  overstated. 

Snyder  is  a  senior  partner  at 
Opus  One  in  Tucson,  Ariz.  He 
can  be  reached  at  Joel.Snyder@ 
opusl.com. 
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Cloud:  Public  or  Private? 


A  PRIVATE  CLOUD  IS  THE  clear  choice  for 
enterprise  and  government  organi¬ 
zations  looking  to  reap  the  benefits 
of  cloud  computing  without  compro¬ 
mising  critical  security  policies  or 
overall  system  flexibility. 

Organizations  that  are  able  to 
closely  align  IT  initiatives  with  core 
business  strategies  are  more  agile, 
more  responsive  and  more  effective 
than  their  peers.  But  the  accelerat¬ 
ing  user  demand  for  infrastructure, 
coupled  with  ever-present  restric¬ 
tions  on  IT  budgets  and  staff,  has 
created  a  dilemma:  How  do  you 
cost-effectively  scale  operations 
while  staying  aligned  with  the  core 
business? 

The  obvious  solution  is  to  transition  to  a  cloud-based  infra¬ 
structure  delivery  model:  the  promise  of  better  utilization,  higher 
productivity  and  truly  dynamic  IT  is  impossible  to  ignore.  While 
some  public  cloud  options  look  attractive,  a  private  cloud  is  the 
way  to  go.  Here  are  some  things  to  consider: 

■  The  private  cloud  lives  within  your  firewall  and  gives  you  con¬ 
trol  over  your  data:  who  has  access,  where  it  lives,  and  how  it’s 
transferred.  Organizations  that  deal  in  private  and  proprietary 
data  (e.g.  financial  services,  healthcare,  and  government  insti¬ 
tutions)  simply  cannot  risk  third-party  access  to  sensitive  data, 
and  even  face  legal  ramifications  for  breaches. 

John  Merchant,  assistant  vice  president  of  the 

Hartford  Financial  Services,  was  recently  quoted 
as  saying,  “as  a  Fortune  500  company  with 
highly  regulated  data  and  a  very  conservative 
outlook,  it’s  going  to  be  difficult  for  any  insurance 
company  or  any  financial  institution  of  any  size 
to  migrate  any  data  to  the  [public]  cloud.”  Public 
cloud  offerings  simply  aren’t  able  to  adequately 
address  the  security  and  privacy  needs  of  data- 
sensitive  organizations. 

■  Private  clouds  offer  a  way  for  these  organiza¬ 
tions  to  transition  existing  data  center  invest¬ 
ments  into  a  more  scalable,  user-friendly  model 
while  maintaining  control  over  data. 

■  The  private  cloud  is  a  “force  multiplier”. 

Enterprise  and  government  organizations 
have  already  made  investments  in  large  data 
centers  with  thousands  of  servers,  support¬ 
ing  infrastructure  and  management  software. 

Clearly,  these  investments  will  not  be  retired 

►  See  Private,  page  38 


GIVEN  THE  IMPACT  PUBLIC  CLOUDS 

have  had  on  consumers  and  society, 
it’s  no  wonder  businesses  are  trying 
to  match  this  level  of  agility  with  their 
internal  infrastructure.  I  often  hear 
enterprises  lament:  “I  wish  I  could 
deploy  Amazon’s  EC2  internally  for 
my  private  cloud.” 

They  envy  the  readiness  of  on- 
demand  execution,  the  fluidity  and 
elegance  of  systems  delivery.  It  is  a 
sense  of  freedom  from  the  constraints 
of  traditional  IT. 

But  replicating  public  cloud  ser¬ 
vices  will  not  come  easy.  While  orga¬ 
nizations  can  strive  to  make  IT  the 
electricity  that  enables  the  business, 
there  are  many  legacy  impediments. 
Enterprise  IT  is  not  ready  to  aggre¬ 
gate  infrastructure  in  shared  pools  and  to  charge  it  back  on  usage. 
Infrastructure  still  tends  to  be  acquired  for  internal  customers 
without  asking:  “Does  it  need  to  be  dedicated?”  “How  long  do  you 
need  it  for?”  and  lastly:  “Who  is  the  consumer?” 

While  enterprise  IT  is  pondering  the  answers  to  these  core 
questions,  the  overwhelming  benefits  of  public  cloud  services 
will  drive  businesses  to  adopt  them  more  quickly  than  not.  In 
a  highly  competitive,  global  marketplace,  businesses  with  the 
agility  to  respond  quickest  to  customers  have  the  advantage,  and 
public  cloud  services  allow  them  to  ramp  up  and  ramp  down  to 
meet  changing  levels  of  demand  in  different  geog¬ 
raphies  and  markets. 

Once  business  category  leaders  start  adopting 
public  cloud  services,  they  will  gain  an  advantage, 
their  market  share  will  grow  and  competitors  will 
quickly  follow. 

Of  course,  the  primary  case  against  enterprise 
use  of  public  clouds  right  now  is  security.  While 
security  is  a  challenge,  there  are  ways  to  meet 
compliance  rules  and  mitigate  risk.  Consider,  for 
example,  SalesForce.com,  one  of  the  biggest  busi¬ 
ness  public  clouds  in  use  today.  Companies  read¬ 
ily  deliver  all  their  customer  contacts  and  revenue 
pipeline  information  without  worrying  about 
either  privacy  or  commingling  of  data  with  other 
organizations. 

The  Salesforce  application  was  built  from 
scratch  with  public  cloud  delivery  in  mind:  data 
is  segregated  in  multi-tenancy  or  can  be  obfus¬ 
cated  or  tagged  so  data  resolution  happens  only 

►  Sec  Public,  page  3d 
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►  Private,  from  page  35 

overnight.  Rather,  these  organizations  need  a  way  to  transform 
this  powerful,  albeit  static,  infrastructure  into  a  dynamic,  fully 
automated  cloud  that  still  conforms  to  existing  security  and 
privacy  policies. 

Private  clouds  provide  two  major  benefits.  The  first  is  a  dra¬ 
matic  increase  in  the  utilization  of  existing  infrastructure,  which 
drives  down  costs  and  limits  the  need  for  future  purchases.  With 
cloud-based  capacity  management,  administrators  can  increase 
utilization  from  around  40%  (with  virtualization  alone)  up  to 
75%  to  85%,  and  they  have  detailed  insight  into  exactly  how  that 
infrastructure  is  being  used. 

Second,  because  of  the  powerful  automation  engine  enabling 
the  private  cloud,  administrators  can  break  the  cycle  of 
never-ending  hands-on  provisioning  and  reclamation  to  focus 
on  strategic  functions,  such  as  IT  service  design  and  policy 
management. 

■  The  private  cloud  offers  clear  ownership  and  accountability. 
What’s  the  game  plan  when  something  goes  wrong?  With  a 
public  solution,  you’ll  be  dealing  with  both  internal  owners  and 
likely  multiple  external  owners  to  resolve  the  issue,  which  can 
result  in  confusion  and  resolution  delays.  With  a  private  cloud, 
you  own  the  cloud  and  can  prioritize  resolution  based  on  the 
needs  of  your  business,  rather  than  someone  else’s. 

When  you  add  it  all  up,  it  is  clear  that  enterprise  and  govern¬ 
ment  organizations  maintain  high  standards  for  security,  privacy 
and  cost  management,  while  transforming  their  operations  into  a 
dynamic,  flexible  environment.  The  best  solution  for  them  is  the 
private  cloud.  ■ 

Malcolm  oversees  software  development,  product  management 
and  data  center  operations.  Surgient  has  built  over  150  private 
clouds  for  companies  like  Target,  GE  and  Bank  of  New  York. 


►  Public,  from  page  35 

internally  within  the  owner’s  firewalls. 

In  fact,  we  have  not  really  had  a  big  security  breach  in  public 
clouds.  If  any  problem  had  occurred,  you  can  bet  the  news  would 
have  spread  in  a  matter  of  minutes.  Meanwhile,  we  often  hear 
about  the  loss  of  PCs  or  thumb  drives  containing  Social  Security 
numbers  or  instances  of  fraud  executed  inside  the  “private  cloud.” 

That  said,  to  ensure  a  secure  public  cloud  experience  it  is  impor¬ 
tant  to  know  who  the  provider  is,  their  profile,  service  excellence 
and  history. 

Public  clouds  are  blazing  the  trail  for  enterprise  IT.  Realistically, 
it  would  take  quite  some  time  for  private  clouds  to  achieve  the  same 
level  of  usage  and  sophistication. 

Consider,  for  example,  what  the  Haiti  relief  effort  showed  us 
about  the  power  of  the  public  cloud.  Without  public  cloud  services, 
participating  charities  would  have  had  to  anticipate  the  demand 
and  get  pledge  money  to  build  out  the  infrastructure  to  accommo¬ 
date  the  spike  in  user  pledges,  and  then  maintain  it  as  it  sat  idle 
long  after  that  first  month’s  peak  of  generosity. 

While  public  cloud  services  are  proving  their  worth  and  attract¬ 
ing  new  converts  every  day,  we  will  ultimately  see  the  emergence  of 
a  hybrid  public/private  mix  that  can  satisfy  any  lingering  security 
or  regulatory  concerns  about  particular  data.  But  without  compro¬ 
mising  their  most  sensitive  data,  businesses  will  move  as  much  of 
their  workloads  as  possible  to  take  advantage  of  the  flexibility  and 
agility  offered  by  public  cloud  services.  ■ 

Giunta  is  responsible  for  implementing  CSC’s  cloud  computing 
strategy.  She  heads  CSC's  Trusted  Cloud  and  Hosting  Business 
Group,  using  cloud  capabilities  to  extend  the  company’s  strength 
in  consulting,  systems  design  and  integration. 
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Private  Cloud? 

(3)  Public  clouds  have  some  great 
benefits,  but  for  the  level  of  security 
that  enterprise  customers  require  I 
think  the  choice  will  nearly  always  be 
private.  I  am  also  yet  to  be  convinced 
that  there  is  any  such  a  thing  as  a  private 
cloud.  My  observations  to  date  are  that 
private  clouds  are  just  virtual  infra¬ 
structure,  not  really  different  from  any 
other  virtual  infrastructure  that  hasn't 
had  the  "cloud"  moniker  stuck  on  to  it. 

Public  Cloud  security 

s  '  J:  \  '  ■ 

©  Security  should  be  a  concern  in 
public  or  private  clouds,  but  I'd  say  a  lot 
‘  of  talk  about  public  clouds  having  no 
.  security  is  overblown.  Many  of  those 
public  cloud  SP  Data  Centers  are  state  of 
the  art.  They  are  run  by  talented  people 
hired  to  do  the  job.  Their  physical  seen 


rity  is  often  better  than  most  corpora¬ 
tions.  Finally,  security  takes  many  forms, 
including  disaster-recovery  planning.  If 
you  go  with  a  private  cloud,  where  is  your 
DR  site?  Do  you  use  a  public  cloud  for  it 
or  pre-stage  a  backup  private  cloud  your¬ 
self  ($$).  And  will  that  somewhere  else 
be  on  a  separate  power  grid,  flood  plain 
etc.  from  where  the  first  site  is?  There  is 
no  single  right  answer  to  the  question  of 
Public  vs.  Private  cloud  as  it  depends  on 
many  considerations.  BRIAN  MULLAN 

Public  clouds  are 
already  well  understood, 
widely  used .... 

@  Perfect!  Hi  Siki,  can  we  start 
with  CSC  first  and  move  all  of  CSC's 
internal  applications  to  the  public 
cloud?  How  about  starting  from 
the  HR,  Finance  and  legal  depart¬ 
ments.  All  meet  your  definitions... 


What  happens  to 
agility  when  public 
clouds  consolidate? 

©  Right  now  there’s  a  gold  rush  prolif¬ 
eration  of  public  providers.  Do  I  avoid  the 
public  crowds  and  performance  swings 
by  going  to  boutique  public  providers  or 
wait  it  out  until  there's  consolidation  arid 
market  stability?  At  least  with  a  private 
now,  hybrid  tomorrow,  public  eventu¬ 
ally  model,  I  seem  to  be  more  protected 
from  Darwin  and  Murphy's  Law.  ANON 

Private  cloud 

©  Private  cloud  offers  much  faster 
provisioning  and  cost  reduction  vs.  a  tra 
ditional  physical  (non  virtualized)  infra¬ 
structure.  The  advantages  are  not  theo 
retical,  they  are  proven  over  and  over  and 
they  are  relatively  easy  to  realize.  I  know 
because  I  have  done  it  RICK  PARKER 
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Sprint  cell  woes:  your  reaction 


FOLLOWING  YOUR  feedback  to  my  column 
“An  open  letter  to  Dan  Hesse,  Sprint  CEO”  I 
need  to  clear  up  something  that  apparently 
some  of  you  didn’t  get:  I  understand  the  economics  of  consumer  cel¬ 
lular  service;  what  I  couldn’t  get  over  was  that  it  makes  no  sense  for 
Sprint  to  let  me  go. 

Before  we  delve  into  that  issue  let’s  talk  about  feedback:  A  number 
of  you  (who  all  appear  to  be  called  “Anon”  -  which  strikes  me  as  par¬ 
ticularly  wussey)  chastised  me  for  a  variety  of  things  that  ranged  from 
comparing  me  to  Glenn  Beck  (one  of  the  most  bizarre  critiques  I’ve 
ever  received)  to  the  brain  damaged  “crap  reporting ...  how  much  did 
you  get  paid  by  the  other  carrier?  Sprint  rocks,  and  the  EVO  is  the  best 
phone  on  the  market”. 

Adding  the  online  comments  to  the  direct  e-mail  I  received  it  appears 
about  60%  of  respondents  agree  with  me  that  the  cell  phone  service 
providers  are  the  devil’s  spawn  and  most  likely  have  a  special  place  in 
hell  reserved  for  them,  while  about  40%  disagreed.  About  half  of  the 
latter  disagreed  strongly  enough  to  resort  to  name  calling  (my  favorite 
was  the  forum  response  that  started  out  calling  me  a  moron).  To  this 
group  all  I  can  say  is  your  mothers  wear  army  boots. 

So,  back  to  what  matters:  The  money.  Here’s  the  deal:  My  phone 
broke  and  Sprint  would  give  me  a  new  (low  end)  cell  phone  for  $155  if  I 
signed  up  for  a  new  two-year  contract.  Alternatively,  they’d  let  me  go  to 
another  carrier  (where  I  could  get  a  new  phone  for  free  by  signing  a  two- 
year  contract)  if  I  paid  $110  early  termination  fee.  The  best  deal  from  my 
perspective  is  obvious  and  involves  saying  goodbye  to  Sprint. 

After  my  column  ran  a  very  nice  chap  from  the  Sprint  executive 


offices  got  in  touch  and  we  had  a  long  conversation  about  the  econom¬ 
ics  of  cellular  service  and  the  nature  of  very  large  companies,  but  what 
did  he  get  stuck  on?  The  early  termination  fee.  His  rationale  was  that  it 
was  the  only  way  Sprint  could  recover  the  cost  of  acquiring  me.  What 
he  was  ignoring  was  the  cost  of  replacing  me. 

From  a  number  of  reports  it  appears  the  cost  of  “hunting”  (the 
marketing  term  for  customer  acquisition)  in  the  cellular  business  is 
in  the  region  of  $120.  Given  that  Sprint’s  customer  churn  in  the  first 
quarter  of  2010  was  2.15%  and  the  company  lost  75,000  customers 
it  would  appear  that  customer  replacement  will  be  in  the  realm  of 
$9,000,000! 

Now  what’s  the  cost  of  “farming”  existing  customers?  I’d  bet  a  lot 
lower  than  the  cost  of  acquiring  new  customers.  But  for  Sprint  there’s 
a  bigger  issue  than  just  losing  customers.  Just  search  Google  for  nega¬ 
tive  user  stories  about  Sprint;  it  lost  customers  and  pissed  them  off  at 
the  same  time. 

Now  I  suppose  that  by  me  paying  the  $110  to  get  out  of  the  account 
Sprint  can  treat  the  account  as  profitable,  but  they  have  lost  a  customer 
in  the  process  and  what  are  the  three  key  things  you  can  do  to  improve 
your  business?  That’s  right;  increase  profitability,  reduce  costs,  or 
make  your  customers  happy. 

In  Sprint’s  case,  the  profit  on  my  account  was  illusory,  it  will  cost 
them  to  replace  me,  and  they  wound  up  with  an  unhappy  ex-customer. 
And  doesn’t  that  sound  wrong  headed  to  you?  H 

Gibbs  has  had  enough  of  cell  phones  in  Ventura,  Calif.  Try  contacting 
him  at  backspin@gibbs.com. 
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Wikipedia  confronts  downside  of  'Net  openness 


IN  AN  attempt  to  encourage  greater  partici¬ 
pation  in  the  crafting  of  its  pages,  Wikipe¬ 
dia  is  turning  to  tighter  editorial  control  as 
a  substitute  for  simply  “locking”  those  entries  that  frequently  attract 
mischief  makers  and  ideologues. 

The  problem  Wikipedia  is  attempting  to  address  with  its  new  “Pend¬ 
ing  Changes”  policy  more  or  less  mirrors  the  grief  faced  by  proprietors 
of  any  Internet  forum  that  attempts  to  foster  open  participation  and 
discussion:  Anonymity  attracts  trolls.  (Blog  spam  has  rocketed  past 
e-mail  spam  on  my  list  of  annoyances.) 

That  tighter  control  will  encourage  participation  —  and  improve 
quality  —  may  seem  counter-intuitive,  but  in  the  context  of  Wikipe¬ 
dia’s  long-running  troubles  with  pranksters  it  makes  a  lot  of  sense.  The 
new  process  is  aimed  at  both  first-time  and  anonymous  contributors; 
in  other  words  those  who  are  most  likely  to  cause  trouble. 

A  blog  post  from  Wikipedia’s  Moka  Pantages  explains:  “Articles 
that  are  frequently  subjected  to  malicious  edits  have  long  been  locked, 
sometimes  for  years,  and  protected  from  editing  by  new  and  anony¬ 
mous  users.  Over  the  last  year,  (we)  have  been  working  to  develop 
Pending  Changes,  a  softer  alternative  to  these  editing  restrictions.  At 
present,  only  about  0.1  percent  of  the  3.3  million  articles  on  the  English 
Wikipedia  are  under  edit  protection.  This  tool  should  help  reduce  dis¬ 
ruptive  edits  or  errors  to  articles  while  maintaining  open,  collaborative 
editing  from  anyone  who  wants  to  contribute.” 

Changes  submitted  by  new  or  anonymous  users  will  be  screened 
by  Wikipedia  editors  before  they  are  published,  a  process  that  is  sure 
to  create  controversies  of  its  own,  but  one  preferable  to  the  free-for-all 


that  has  rendered  some  Wikipedia  pages  untrustworthy. 

The  trial  of  the  new  system  will  cover  a  maximum  of 2,000  pages. 
Wikipedia  recently  announced  that  it  has  received  a  $1.2  million 
grant  to  improve  the  accuracy  of  articles  about  public  policy,  many  of 
which  are  targets  of  pranksters  and  less-than-objective  editing. 

Even  as  the  site  has  grown  ever  larger,  Wikipedia  has  experienced  a 
serious  decline  in  participation.  Some  of  that  decline  has  been  attrib¬ 
uted  to  the  difficulty  experienced  by  newcomers. 

If  it  works,  “Pending  Changes”  has  a  chance  to  address  both  issues. 

Internet  Society  bids  me  adieu  —  briefly 

The  e-mail  from  The  Internet  Society  (ISOC)  hit  my  in-box  with  an 
unceremonious  thud:  “You  have  been  unsubscribed  from  the  ISOC- 
members-announce  mailing  list.”  Huh?  What?  Why?  I  didn’t  ... 

Now,  granted,  I  have  not  attended  ISOC  meetings  in  recent  years 
(ever,  really)  or  offered  the  organization’s  activities  much  in  the  way 
of  news  coverage,  but  this  banishment  did  catch  me  by  surprise  and  I 
was  at  a  loss  to  understand  its  motivation. 

Then  about  an  hour  later  came  the  second  e-mail: 

“I  was  doing  some  list  maintenance  on  the  isoc-members-announce 
list  which  caused  unsubscribe  messages  to  be  sent  to  everybody  on  the 
list.  If  you  have  received  this  message  you  can  rest  assured  that  you  are 
still  subscribed  to  isoc-members-announce.  I  am  very  sorry  for  this 
mistake  and  hope  I  have  not  caused  you  undue  concern. 

Name  Withheld  to  Protect  the  Careless”  ■ 

Care  to  bid  me  something  else?  The  address  is  buzz@nww.com. 
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Cross-country 

Cross-town 


Introducing  CenturyLink™  Business 

CenturyTel  and  EMBARQ  have  merged  — and  the  result  is 
CenturyLink,  delivering  top-tier  business  data  network 
solutions  to  customers  throughout  the  U.S.  You  can  count 
on  us  to  combine  a  state-of-the-art  national  network  with 
local  support  from  people  right  in  your  own  community. 


network. 

support. 


Partner  with  CenturyLink  and  make  sure  your  business  is 
Stronger  Connected™  — across  country  and  across  town. 

Learn  more  at  www.centurylink.com/stronger 
or  call  1-866-345-0814. 
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not  months. 
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